With this Windows PowerShell command hackers can install a backdoor that can’t be removed with patch

A team of cybersecurity specialists has just released a report on a recently found vulnerability in the Windows operating system printing process. According to the researchers, this flaw is present in all versions of the system since 1996 Windows NT 4. The vulnerability, dubbed ‘PrintDemon’, resides in Windows Print Spooler, the main component of Windows for managing print operations.

Windows Print Spooler can send print data to a USB port for physically connected printers or to a TCP port for printers residing on a local network or on the Internet. This service can also send data to a local file, in case the user wants to save a print job for another time.

The report, prepared by researchers Alex Ionescu and Yarden Shafir, mentions the finding of this old security error. It appears that threat actors could abuse this component to take control of Printer Spooler’s internal mechanism. It should be mentioned that this flaw cannot be exploited remotely over the Internet, so hacking random Windows systems on the network is not a possibility.

This is a local privilege escalation flaw, so threat actors only require a minimum access point to a Windows system or machine and user privileges to run an unprivileged PowerShell command to gain administrator-level access on the operating system, According to experts, the attack is possible because of the way the Print Spooler service is designed.

The print service is available without further restrictions for any application on the system that wants to print a file. Threat actors can create a document for printing (a local DLL used by the operating system, for example), start the printing process, and stop the service intentionally to then resume the operation, only this time with system privileges. This process will allow them to overwrite any file anywhere on the operating system.

According to the experts, exploiting this vulnerability in the latest versions of the Windows system would require the use of a single line of PowerShell, although the process is complicated in previous versions: “In a system without security updates, a malicious hacker could exploit the flaw to install a persistent backdoor, which would not disappear even after updating the vulnerable system”.  

Fortunately the vulnerability was corrected as part of the May 2020 Microsoft patch, so researchers were able to publish the details. Tracked as CVE-2020-1048, the flaw was reported by Ionescu and Shafir about a month ago.

Experts also reported a similar flaw affecting the Windows fax service whose exploit would allow hackers to hijack local files to install backdoors on vulnerable systems. This flaw, identified as FaxHell, was also corrected by the company in the May update.