Two researchers from SafeLabs have found vulnerabilities in Windows Print Spooler, a printing software used by Windows to print files. Though Microsoft has pushed an update to patch a bug earlier, the researchers have found a way to bypass the patch and takeover the target system with admin-level privileges.
Bug in Windows Printing Service Lets Attackers With Admin Privileges
Two researchers named Tomer Bar and Peleg Hadar has found bugs in Windows Print Spooler, a service that manages the printing jobs of a computer. The initial bug, tracked as CVE-2020-1048 was discovered and patched in May through a Microsoft’s Tuesday update. The bug could let attackers run a host machine with elevated privileges.
More specifically, the researchers were successful in altering the .SHD (Shadow data) and .SPL (Spoof file) files, that contain data belonging to a file (as metadata) and the actual files to be printed respectively. They have dissected the processes of Windows Print Spooler to learn how it works and discovered a way to bypass limits.
Here, they found ProcessShadowJobs, a process that processes the .SHD files when the system is restarted. Moreover, the Print Spooler is found to be running with admin privileges even though the data fed into .SHD and .SPL is from a basic user. Thus, if the Print Spooler can be bluffed with fake files and start the process, the attackers can gain access, and even execute malicious code in the host system.
They proved this by injecting an arbitrary DLL (wbemcomn.dll) and fed a malicious SHD file into the print’s spooler. This gave the loaded by system when restarted, giving the researchers admin privileges since the files are written to System32 folder. More importantly, it was taken by other Windows services too as they didn’t verify the signature, but loaded the malicious DLL from an unexisting path!
Well, this was no longer a valid technique as Microsoft has sent patches in its May’s Monthly Tuesday update. But, the same researchers have found a way to bypass the patch and achieve the same privileges! A patch for this second vulnerability tracked as CVE-2020-1337 will receive a patch on August 11th, when Microsoft sends the August Tuesday update.
Other Trending News:- News