CVE-2020-1048 | PrintDemon±¾µØÌáȨ·ì϶¹«¸æ

°ä²¼¹¦·ò 2020-05-15

0x00 ·ì϶¸ÅÊö


CVE   ID

CVE-2020-1048

ʱ    ¼ä

2020-05-15

Àà    ÐÍ

LPE

µÈ    ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

·ñ

Ó°ÏìÁìÓò

×Ô1996ÄêÒÔÀ´°ä²¼(Windows NT 4)µÄËùÓÐWindows°æ±¾


0x01 ·ì϶ÏêÇé


28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿


2020Äê5ÔÂ12ÈÕ°²È«×êÑÐÈËÔ±Alex IonescuºÍYarden Shafir°ä²¼·ì϶»ã±¨ £¬ÔÚWindows´òÓ¡·þÎñÖз¢ÏÖÁËÒ»¸ö°²È«·ì϶£¨CVE-2020-1048£© £¬Äܹ»ÓÃÀ´½Ù³ÖPrinter Spooler»úÔì £¬¸Ã·ì϶ӰÏì×Ô1996ÄêÒÔÀ´°ä²¼(Windows NT 4)µÄËùÓÐWindows°æ±¾¡£

CVE-2020-1048ÊÇWindows ´òÓ¡ºó¶Ü´¦Ö÷¨Ê½ÌØÈ¨ÌáÉý·ì϶¡£ÈôÊÇ Windows ´òÓ¡ºó¶Ü´¦Ö÷¨Ê½·þÎñÆ÷²»ÕýÈ·µØÔÊÐíËÁÒâдÈëÎļþϵͳ £¬Ôò»á´æÔÚÌØÈ¨ÌáÉý·ì϶¡£³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷ÕßÄܹ»Ê¹ÓÃÌáÉýµÄÏµÍ³ÌØÈ¨ÔËÐÐËÁÒâ´úÂë¡£¹¥»÷Õß¿ÉËæºó×°Ö÷¨Ê½£»²é¿´¡¢¸ü¸Ä»òɾ³ýÊý¾Ý£»»òÕß´´½¨Õ¼ÓÐÆëÈ«Óû§È¨ÏÞµÄÐÂÕÊ»§¡£ÈôÒªÀûÓô˷ì϶ £¬¹¥»÷Õß±ØÐëµÇ¼µ½ÊÜÓ°ÏìµÄϵͳ²¢ÔËÐо­ÌØÊâÉè¼ÆµÄ¾ç±¾»òÀûÓ÷¨Ê½¡£

×êÑÐÈËÔ±½«PrintDemon³ÆÎª¡°±¾µØÌØÈ¨Éý¼¶¡±£¨LPE£©·ì϶ £¬¼´±ã¹¥»÷ÕßÖ»ÓÐͨ³£Óû§È¨ÏÞ £¬Ò²Äܹ»Í¨¹ýPowerShellºÅÁîµÈ·½Ê½µÈÏлñȡϵͳµÄÖÎÀíԱȨÏÞ¡£¹¥»÷ÕßÄܹ»³õʼ»¯Ò»¸ö´òÓ¡²Ù×÷ £¬ÓÐÒâʹPrint Spooler·þÎñ±¼À£ £¬¶øºóÔÙ¸´Ô­´òÓ¡¹¤×÷ £¬´Ëʱ´òÓ¡²Ù×÷¾ÍÒÔSYSTEMȨÏÞÔËÐÐÁË £¬Äܹ»¸²¸ÇϵͳÖеÄËÁÒâÎļþ¡£

¹¥»÷ÕßÄܹ»Í¨¹ýÒ»¸öPowerShellºÅÁîÀûÓÃCVE-2020-1048£º

Add-PrinterPort -Name c:\windows\system32\ualapi.dll

ÔÚδװÖò¹¶¡µÄϵͳÖÐ £¬ÔËÐÐÉÏÊöºÅÁî»á×°ÖÃÒ»¸öÓÀÔ¶ºóÃÅ £¬¸ÃºóÃż´±ã½¨¸´ºóÒ²²»»áÒþû¡£

POC: https://github.com/ionescu007/PrintDemon


0x02 ´ëÖý¨Òé


΢ÈíÒѾ­ÔÚ5ÔµÄ΢Èí²¹¶¡ÈÕ°ä²¼Á˸÷ì϶µÄ²¹¶¡ £¬ÓÉÓڸ÷ì϶¼«¶ÈÈÝÒ×±»ÀûÓà £¬×êÑÐÈËÔ±½¨ÒéÓû§¾¡¿ì×°Öò¹¶¡¡£

һʱ´ëÊ©£ºÍ¨¹ýPowerShellµÄGet-PrinterPorts»òHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports À´É¨Ãè»ùÓÚÎļþµÄ¶Ë¿Ú £¬ÓÈÆäÊÇÄÇЩ.DLL»ò.EXEÀ©´óµÄÎļþõè¾¶¡£


0x03 ÓйØÐÂÎÅ


https://www.zdnet.com/article/printdemon-vulnerability-impacts-all-windows-versions/#ftag=RSSbaffb68


0x04 ²Î¿¼Á´½Ó


https://windows-internals.com/printdemon-cve-2020-1048/


0x05 ¹¦·òÏß


2020-05-15 VSRC°ä²¼·ì϶¹«¸æ

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿