Another vulnerability in the same Windows component was abused by Stuxnet a decade ago
A vulnerability in a decades-old Windows component that controls printing on machines running the operating system could be abused by malicious actors to gain elevated privileges on the targeted system, according to security researchers Yarden Shafir and Alex Ionescu.
The flaw, which they dubbed PrintDemon, resides in Windows Print Spooler and affects all Windows versions since Windows NT4.0, released in 1996. The component has remained largely unchanged since; another vulnerability affecting it was abused by the infamous Stuxnet a decade ago.
“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said Microsoft. Windows 7, 8.1, 10, and Windows Server 2008, 2012, 2016, and 2019 all contained the vulnerability.
Attackers can exploit CVE-2020-1048 with a single PowerShell command:
Add-PrinterPort -Name c:windowssystem32ualapi.dll
On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*.
See https://t.co/9yMSWNM8VG for more details.
— Alex Ionescu (@aionescu) May 13, 2020