by Mitja Kolsek, the 0patch Team
Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1048, a privilege elevation vulnerability allowing a local non-admin attacker to create an arbitrary file in an arbitrary location.
This vulnerability was patched by Microsoft with May 2020 Updates, but Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable.
Last week, security researchers Yarden Shafir and Alex Ionescu published a detailed analysis of the vulnerability they dubbed "PrintDemon", including a proof-of-concept for Windows 8 and later Windows versions.
PrintDemon allows a low-privileged user to create a printer port pointing to a file, and then print to that port. If the user has insufficient permissions for writing to said file, Print Spooler service will do that as Local System upon computer restart.
Microsoft's patch added a couple of checks in the code for creating a printer port:
- custom port (one without '/' or '\') is allowed,
- named pipe port and file port is allowed if user has read/write permissions on it.
Our micropatch does logically the same:
Here's a video of our micropatch in action:
Thanks to Yarden Shafir and Alex Ionescu for an excellent writeup and POC for this issue, which allowed us to create a micropatch for Windows users without security updates.