A printer port - you’d normally think of this as LPT1 back in the day, or a USB port today, or even a TCP/IP port (and address).To begin with, a printer must be associated with a minimum of two elements: We won’t talk about monitors or providors (sp) or processors, but rather just the basic printing pipeline.
So, to begin with, let’s look at a very simple description of how the printing process works, extremely dumbed down. While we typically like to go into the deep, gory, guts of Windows components (it’s an internals blog, after all!), we felt it would be worth keeping things simple, just to emphasize the criticality of these issues in terms of how easy they are to abuse/exploit - while also obviously providing valuable tips for defenders in terms of protecting themselves.
Secondly, Alex would like to apologize for the naming/branding of a CVE - we did not originally anticipate a patch for this issue to have collided with other research, and we thought that since the Spooler is a service, or a daemon in Unix terms, and given the existence of FaxHell, the name PrintDemon would be appropriate. We understand that Peleg and Tomer will be presenting their research at Blackhat USA 2020, which should be an exciting addition to this post. It’s extra ironic that an underground ‘zine first looked at the Print Spooler, which was never found by Microsoft, and that’s what the team behind Stuxnet ended up using!įirst, we’d like to shout out to Peleg Hadar and Tomer Bar from SafeBreach Labs who earned the MSRC acknowledgment for one of the CVEs we’ll describe - there are a few others that both the team and ourselves have found, which may be patched in future releases, so there’s definitely still some dragons hiding. Ironically, the Print Spooler continues to be one of the oldest Windows components that still hasn’t gotten much scrutiny, even though it’s largely unchanged since Windows NT 4, and was even famously abused by Stuxnet (using some similar APIs we’ll be looking at!). We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spooler, and interesting ways it can be used to elevate privileges, bypass EDR rules, gain persistence, and more.