PoC for CVE-2009-0229 "Print Spooler Read File Vulnerability" LPE AFR (related to CVE-2020-1048)
- Author: Andrei Costin (zveriu@gmail.com)
- PoC date: 2010-xx-xx
- Release date: 2020-05-14 (reminded/inspired by CVE-2020-1048 - yes, I am too late to the party :D )
- TL;DR
- If you want 0days, dig Printing and Faxing sub-system of OSes :) - lots of legacy code due to historical reasons - there are vulns for everyone =)
-
Note1: Unverified - unsure 100% is the same bug that triggers the CVE-2009-0229
-
Note2: Unverified - could work on newer systems like Windows Server 2012 and Windows Server 2016
-
Note3: All Windows releases come with 4 default "Separator Page" files
- pcl.sep
- pscript.sep
- sysprint.sep
- sysprtj.sep
-
Note4: This trick is older than Windows 95 =), pretty sure it was used by pros for "stealth info recovery" ;)
- (non-admin) local attacker has "printer management rights"
- option1: can add a new printer
- option2: can modify settings of an existing "system wide" printer (many times the case)
- "arbitrary file" for exfiltration does not have explicit "Deny Read" permission
- highly unlikely as that would make accessing files for the victim really unpractical/unusable
-
Local attacker configures any printer s/he has access to so that it uses "Separator Page" file supplied by the attacker (attack.sep), now attacker has "weaponized printer"
- See "Windows "Separator Page" References" below for details
-
Local attacker crafts the "Separator Page" file (attack.sep) to use the "@F"/"$F" operator, as follows, where the file to be exfiltrated is assumed to be "C:\secret.txt" (notice the \ and the direct concatenation to @F operator)
@
@FC:\\secret.txt
-
Local attacker needs to print something using the "weaponized" printer above
- For example, local attacker opens Notepad, prints the empty document through the printer configured above with "Separator Page" file
- Local attacker uses the "print to file" (e.g., c:\temp\exfiltrated.out) option when printing - there are "print to file" .ps in most Windows versions + .xps in newer ones (http://ps-2.kev009.com/pcpartnerinfo/ctstips/e94a.htm)
- This is done so that the content of the exfiltrated file does not go to the printer (though this is also an option), but becomes immediately available to the attacker
-
Attack improvement: one "Separator Page" file can have a brute-force list of most common filepaths/filenames
-
There is also @L operator :)
- see my "PostScript: Danger Ahead?!" https://scholar.google.fr/scholar?oi=bibs&hl=en&q=related:RGJbW-sFP9sJ:scholar.google.com/
- see also pscript.sep and sysprint.sep
-
Found back in 2010 when I was doing "Hacking Printers for Fun and Profit" research/talks
- https://www.youtube.com/watch?v=R56ZXErKCeE
- https://www.youtube.com/watch?v=KrWFOo2RAnk
- https://www.youtube.com/watch?v=JcfxvZml6-Y
- http://andreicostin.com/papers/Conf%20-%20EuSecWest2010_AndreiCostin_HackingPrintersForFunAndProfit_full.pdf
- found independently from CVE-2009-0229 submitter - until today, I did not know there is this CVE-2009-0229 =)), thought I was sitting on a 0day =))
-
I am pretty sure the Printing and Faxing sub-systems are bug-trapped with vulns back since Windows 3.1 (for historical reasons)
-
"Microsoft Security Bulletin MS09-022 - Critical"
-
CVE-2009-0229
-
CVE-2020-1048
- This is how "Separator Page" dialogs look on various Windows versions
- This is how "Print to file" looks in some Windows versions
- "Separator Page" in "Hands-On Microsoft Windows Server 2016 By Michael Palmer"
- "Create Custom Separator Pages in Windows Server 2012/2016"
- "Use a Separator Page When Printing in Windows"
- "How do I configure a Print Separator Page?"