Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe

Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft's ratings for that one.  Microsoft rated this as:

Disclosed: NO
Exploited: NO
Exploitability (old and new versions)

Unfortunately, this vulnerabiltiy was actually disclosed to Microsoft by the research community (see below), so the code to exploit it absolutely does exist and was disclosed, and a full write-up was posted as soon as the patch came out:
https://windows-internals.com/printdemon-cve-2020-1048/

Long story short, on an unpatched system, you can plant a persistent backdoor on a target host with this one-liner in PowerShell:

Add-PrinterPort -Name c:\windows\system32\ualapi.dll
Then "print" an MZ file (DOS excecutable) to that printer to light it up.

As noted, this backdoor is persistent, and will remain in place even after you apply the patch!

Moral of the story?  For me, there are a couple of them:

  • Don't put too much stock in risk ratings assigned to patches.  "Lows" and "Mediums" can bite you just as badly as vulnerabilities rated as "High".  This goes for patches as well as scan results or pentest results.  If your policy is to patch only Severe and High rated issues, you'll pay for that eventually.
  • Also, it's a good thing that more vendors are going to monolithic patching.  If you apply the current patch set from Microsoft, you get them all - there's no more "cherry picking" allowed!

Anymore, if you see resistence to resolving any security issues in your organization (even lows and mediums), my take would be to tackle this in your Corporate Policies.  To help to ensure that any security issues are resolved - whether via patching or correcting a config issue, have your policy call for a formal sign-off for the decision to NOT fix each of those issues.  You'll find that management will be reluctant to put in writing "we're choosing to not fix this problem".

Kudos to @peleghd (Peleg Hadar) and Tomer Bar of @safebreach for the initial research and disclosure to Microsoft (acknowledgements here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1048 )
Also Yarden Shafir and Alex Ionescu of Winsider for related research and the detailed post referenced in this article.

===============
Rob VandenBrink
www.coherentsecurity.com

Rob VandenBrink

542 Posts
ISC Handler
May 14th 2020

Sign Up for Free or Log In to start participating in the conversation!