The vulnerability was discovered by experts Peleg Hadar and Tomer Bar of SafeBreach Labs. The issue affects the Windows Print Spooler, which controls the printing process. A workaround for this fixed vulnerability has been classified as a new issue (CVE-2020-1337).
The technical details of the new vulnerability are still confidential, but will be released after the patch is released on August 11, along with the Mini-Filter PoC driver, which shows how to prevent exploitation of the two vulnerabilities in real time.
The exploitation of CVE-2020-1048 is possible by creating malicious files that are analyzed by the print spooler. One type is represented by the .SHD (Shadow) format, which contains the metadata for the print task, such as the SID (user ID of the user who created the task). The other is SPL (Spool file) with print data.
As noted by the experts, the ProcessShadowJobs function processes all SHD files in the spooler folder when the process starts. Knowing that the Windows Print Spooler runs with SYSTEM privileges, and any user can put SHD files in its folder, researchers tried to find a way to write to the system32 directory, which requires elevated privileges.
It is possible to modify the SHD file to include the system SID, add it to the print spooler folder, and restart the computer so that the print spooler can execute the task as the most privileged Windows account, the researchers said. Along with an arbitrary DLL (wbemcomn.dll) disguised as an SPL file, they copied the incorrectly generated SHD to the print spooler folder. After the reboot, the specialists achieved privilege escalation and wrote their DLL library to the System32 folder.