Vulnerability CVE-2020-1048 (description on website Microsoft, discussion on Habr) in the Windows print service (more precisely, in the module Windows Print Spooler) stands out not by the degree of threat, but by its history. It was found in an ancient piece of code, which, apparently, has not been updated since Windows NT4.
The formal description of the problem is as follows: a vulnerability in Print Spooler allows a local user to increase privileges, as it provides random access to the file system. Last Tuesday, May 12, researchers Alex Ionescu and Yarden Shafir published the most detailed description of the problem. In simple words, CVE-2020-1048 is formulated at the end of the article: this is an incredibly easy-to-use bug – the system can be “attacked” with just a couple of commands in PowerShell. And that’s not all: the study sends us to an even more obsolete code for sending faxes (!) And the industrial attack Stuxnet.
The publication describes in detail the mechanism of operation of Print Spooler – a system that is responsible for both printing documents and managing printers. It can work with local and network printing devices, and also supports printing to a file. The last method is described in detail in the article, including the mechanism for adding a virtual printer through a command in PowerShell. With this result:
In the end, it all comes down to introducing the magic team from the tweet above. Windows did not check the validity of the “destination”, which made it possible to create a “printer” with a record in the system file, in this case, the ualapi.dll library. It is enough to “print” an arbitrary executable input into such a “printer”, and you get full control over the system. In the patch, Microsoft developers added print port verification. More precisely, it existed before that, but it only worked when using the tools for working with Print Spooler through a graphical interface (an investigation of Windows Internals shows an attempt to create such a tool). However, it did not work when working from the command line.
This study has a background: as early as April 30, Ionescu and Shafir published an article about a similar attack, but through a fax service (do you remember what it is? No? And Windows still supports them!). At that time, researchers already knew the vulnerability in Print Spooler, but had to wait for the release of patches. Therefore, the earlier publication had to be illogical to call the second part of the study, and in a couple of weeks to publish the first.
In 2010, a similar system was closed in the Windows printing system. vulnerability: privilege escalation in the system by arbitrary “printing” of data into a file. The problem was exploited as part of the Stuxnet cyber attack and added to the toolbox for fixing to the target system. Actually, we discovered it during studying malicious code. As a result of an incident 10 years ago, Print Spooler’s defense was strengthened, but, as is now clear, not good enough.
What else happened
Sophos Company interviewed companies claiming cyber attacks by ransomware. The average amount of losses due to such incidents amounted to 730 thousand dollars – but this is if you do not pay the ransom, but get a copy of the data from the backup and in other ways restore the infrastructure.
Most interestingly, the average damage among those who complied with the crackers’ requirements turned out to be twice as much – 1.4 million dollars. In part, this is the “average temperature in the hospital”, since competent protection and reservation can seriously save. But this is another argument for not paying cybercriminals, in addition to many examples of double extortion, when they first demand money for decrypting the data, and then for not distributing it.
In the plugin Page builder for WordPress found vulnerability. In theory, up to a million websites are subject to it; the error allows attacking a WordPress administrator account by executing malicious code in a browser.