The Gift that Keeps Giving to Attackers?

By Leora R. Isham 4 years ago

FavoriteLoadingAdd to favorites

“This behavior, which dates back to Windows NT 4, is apparently by design and will not be remediated”

The patch for a severe privilege escalation vulnerability in Windows issued in May by Microsoft was bypassed within days and has had to be fixed again in August’s Patch Tuesday batch of software updates from Redmond.

May’s so called PrintDemon bug in Windows Print Spooler service lets an attacker — able to execute low-privileged code on a machine — establish a persistent backdoor, then return at any point and escalate privileges to SYSTEM.

The exploit involves a few short PowerShell commands and once the backdoor is set up, it will persist even after a patch for the vulnerability has been applied, as a detailed blog by the ZDI’s Simon Zuckerbraun notes.

The issue is one that should be firmly on the radar of CISOs, owing to the persistence of the privilege escalation, numerous detailed write-ups/PoCs, and the seemingly endless enterprise challenge of basic patching hygiene. (Known software security flaws allowed local network penetration at 39% of companies, according to a review of Positive Technologies’ pen testing engagements in 2019).

The latest fix comes with attribution to seven separate security teams: this bug is on a lot of radars — no doubt increasingly criminal ones too.

 

Software in which known security flaws allowed network access: Positive Technologies

 

 

 

The PrintDemon attack was first allocated CVE-2020-1048 and credited to Peleg Hadar and Tomer Bar of SafeBreach Labs. It involves a bug in Microsoft’s print spooler — an aging application that manages the printing jobs.

As Yarden Shafir and Alex Ionescu noted in a detailed write-up in May, “Because the Spooler service, implemented in Spoolsv.exe, runs with SYSTEM privileges, and is network accessible, these two elements have drawn people to perform all sorts of interesting attacks” — many of which have worked and resulted in hardening by Microsoft. As they noted, however, “there remain a number of logical issues, that one could call downright design flaws which lead to some interesting behavior…”

CVE-2020-1048 lets an attacker bypass existing safety mechanisms in two ways.

1) Tests to ensure users creating a port have write access to the requested file take place in a UI component, whereas PowerShell’s Add-PrinterPort does not contain the security check offered by the original UI client;

2) as Zuckerbraun notes of the second safety check at print time: “Spooled print jobs persist over reboots… If a reboot has intervened, so that the original token associated with the print job is no longer available, then the Print Spooler executes the job using a token associated with the process’s identity of SYSTEM… this behavior, which dates back to Windows NT 4, is apparently by design and will not be remediated.”

Just 13 days after the May patch, a security researcher reported a bypass to the ZDI’s bug bounty programme that demonstrated how Microsoft’s fix fundamentally failed to prevent exploitation of the vulnerability.

(This popped up in August’s Patch Tuesday as CVE-2020-1337; like the earlier PrintDemon bug, with a CVSS score of 7 that may tempt those patching to de-prioritise it: something that’s probably entirely wise).

As Microsoft described it: “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

A sweeping range of recent Windows 10, 8, and Server iterations are affected and a proof-of-concept is alive and kicking. While the attack may seem a little esoteric and frankly unnecessary for most given easier ways of getting access, for CISOs protecting sensitive environments, it’s the kind of persistent, nagging headache of a vulnerability that should be high on security teams radars.

More granular details on CVE-2020-1337 are here. On CVE-2020-1048 here. 

 

 

Tags: , ,