Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth
Yarden Shafir & Alex IonescuPosted 5 Years Ago- The beginning of the article discusses Windows Internals (which is even the blog name) about the printer service.
- The bug is actually pretty simple... but first, some background! A printer has a specified port that which is where the file being printed gets published to. But, did you know that the printer port can also be a file!? Yes, it can.
- Another piece of background is needed: because printer jobs can error part way through the printing job, there is a level of persistence that it has to have.
- Now, back the bugs... In the case of a crash (of the printer service) the privileges can jumped back into as System. Now, we can write anywhere as system (that the service allows). This is where the second bypass occurs.
- We could just specify the port to be an important Windows file and gain access (like some DLL). Well, this was thought of: there is a check to see if the user has permissions over this file. But, in actuality, the check was ONLY client side! So, by evoking the same functionality via Powershell.
- It's now possible to go from a regular user to System via using the printing service in a particular way!
- Items to note:
- Client-side checks even happen in Native services.
- Undefined situations in the source code can lead to security vulnerabilities. Think outside of the box of how a service can be used :)
