Unpatched gap in the Windows print queue gives malware admin rights

Researchers bypass a patch released by Microsoft in May. The new loophole should enable malware to be smuggled in and executed. A new update will be released next Tuesday as part of the August patch day.

Researchers have managed to bypass a patch that Microsoft for a vulnerability in the Windows Print Service. An attacker could possibly execute malicious code with elevated user rights, as reported by Bleeping Computer.

Malware (Shutterstock image)Actually, a fix released in May was supposed to remove the CVE-2020-1048 vulnerability. The original vulnerability was discovered and reported to Microsoft by researchers Peleg Hadar and Tomer Bar from SafeBreach Labs. It is in the print queue. They also found that the patch is not effective.

Details of the new vulnerability that the identifier CVE-2020-1337 has received are not known. They should only be made public after a new patch has been released – provision is planned for the August patch day on August 11th.

CVE-2020-10418 describes Microsoft as a “vulnerability” in which “the Windows Print Spooler Service incorrectly enables arbitrary writing to the file system. A local attacker who successfully exploited this vulnerability could execute arbitrary code with advanced system privileges. The attacker could then install programs, display, change or delete data or create new accounts with unrestricted user rights. “

According to Bleeping Computer, it is possible to store specially designed files in the print queue folder, which will then be processed the next time the operating system is started. This is how they managed to copy a camouflaged DLL file to the System32 folder.

“As a bonus, several Windows services loaded our DLL (wbemcomn.dll) because they weren’t verifying the signature, and were trying to load the DLL from a path that didn’t exist, which meant we were getting code execution too,” the researchers added.

Although this attack no longer works on systems that have installed the May patch, the loophole in the patch is said to lead to similar results.

Leave a Reply

Your email address will not be published. Required fields are marked *