PrintDemon: Old Windows component and gateway for hackers

May 27, 2020
printdemon bug vulnerability

In one of the latest reports released online, a couple of cybersecurity researchers accounted for their discovery of a sneaky bug lurking within an old Windows Operating System component in charge of overseeing the default printing processes and functions for PCs (Personal Computers).

For a little bit of nostalgia, those who are familiar with the old Windows Operating Systems are well-acquainted with how this old component works.

Codenamed PrintDemon – this particular system service can send information to be printed to a USB (Universal System Bus) / Parallel Port for physically-connected printers. Located in the Windows Print Spooler, this primary component is responsible for sending data to a TCP (Transmission Control Protocol) port for network printers or those within the internet. It’s also in charge of local file printing for print jobs that users save for later.

The researchers define the PrintDemon loophole as an LPE – a Local Privilege Escalation. Hackers can muster the ability to abuse this component and hijack the Windows Printer Spooler’s mechanism. Although this method is sneaky and doesn’t allow for random remote break-in on a Windows machine, an attacker has everything he needs to execute a simple code or command to gain full-on access.

Once the hacker is inside the Windows machine, all it takes is a simple Powershell command and voila! He can immediately gain admin-level privileges over the entire device and its operating system. This is all made possible by the Print Spooler service and how it was designed to function.

The Print Spooler service is designed to be usable and accessible to any Windows application that wants to initiate any printing operation, without any restrictions. This allows the hacker to execute a particular print job to print to a file. An example is a DLL (Dynamic Link Library) file used by Windows or another application.

The hacker can intentionally crash the printing operation after initiating the command and leave the print job to restart and resume. But this time around, the print operation is running under PrintDemon “system” privileges – which means it can overwrite any files anywhere within the Windows operating system.

In a recent tweet, the researchers said that the Windows OS exploit – CVE-2020-1048 – requires just a single Powershell command line in order to execute, create and install a resilient backdoor that will remain impervious to any security patch for quite some time. This, of course, applies to those machines that remain unpatched.

Fortunately, Microsoft has already released a patch as soon as the researchers reported the discovery. This fix was made available almost immediately after it was announced.

About the author

Leave a Reply