PrintDemon vulnerability impacts all Windows versions

[LASER_oneXM]

Content source

https://www.zdnet.com/article/printdemon-vulnerability-impacts-all-windows-versions/

PrintDemon vulnerability impacts Windows versions released as far back as 1996. Patches available.

Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996.
The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations.

The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network or the internet; or to a local file, in the rare event the user wants to save a print job for later.

Trivially exploitable local privilege elevation
In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism.
... ...

 

[Andy Ful]

Wow, that one could be nasty on unpatched machines. It is worth to know that the Microsoft patch does not remove the possible malware if the malware was before the patch. One can check if the system is infected, by looking at the Registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports.
Any ports that have a file path in them — especially ending in an extension such as .DLL or .EXE should be treated with extreme prejudice. "

PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more) – Winsider Seminars & Solutions Inc.

windows-internals.com