What is PrintDemon?

PrintDemon is a vulnerability striking Windows system. The vulnerability was identified in the Windows Print Spooler. The vulnerability was first discovered and reported by two researchers Peleg Hadar and Tomer Bar from SafeBreach Labs. But the name was coined by researchers Alex Ionescu and Yarden Shafir. The Microsoft address it as CVE-2020-1048 -Windows Print Spooler Elevation of Privilege Vulnerability” and describe it as:

” An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application.”

What is Print Spooler?

Print spooler is one of the important components of the printing interface that manages the printing process. It is an executable file. After retrieving the correct driver location, it loads the driver. Scheduling print jobs is also another management function performed by print spooler. Enhanced metafile (EMF) is the default data type for a print job. The other data types supported by print spooler are ASCII text and raw data.

How vulnerable is the PrintDemon?

According to the report released by researchers, this vulnerability will affect all Windows versions that date back to 1996. In the opinion of the researcher Alex Ionescu, an attacker can exploit this vulnerability with the following single PowerShell command:

Add-PrinterPort -Name c:\windows\system32\ualapi.dll

He claims that on an unpatched system, the above-mentioned PowerShell command will install a persistent backdoor and this won’t go even after we try to patch the same. But as per Brendan Watters, a Rapid7 researcher, and few other blogs, it is impossible to exploit this vulnerability with a single line comment.
This vulnerability cannot be triggered remotely through the Internet. An attacker can exploit the target system only if he has already logged in to that system. As stated by Microsoft, “An attacker who has user-level access to the system could run arbitrary code with elevated system privileges. The hacker could then install programs; view, modify, or delete data; or create new accounts with full user rights.

Prevention or Fix

Microsoft has patched the vulnerability and has released the fixes with the Microsoft May 2020 Patch Tuesday. With other updates, users will receive the patch automatically. Otherwise, users may manually download the fixes to safeguard their system quickly.