Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Privilege Escalation in Windows Spool Service - CVE-2020-1030
Victor Mata - AccenturePosted 5 Years Ago- This vulnerability used a plethora of different quirks of the Windows Spooler service in order to get privilege escalation. The Windows Print Spooler is a high value target because printer drivers need to be installed with high privileges, without creating any other issues.
- An older version of the Windows Print Spooler service worked in a different directory and searched for this. However, this directory now does not exist.
- By using the APIs provided, the author makes the version 4 driver directory world-writable. Once this is the case, we can trivially add new DLLs to this location. This took a bunch of application logic that was very specific to the Windows Spooler service.
- The other interesting quirk was that the vulnerability could only be started while the Printer Spooler was being initialized. So, they needed a crash oracle in order to make this work. This was done by loading the DLL
AppVTerminator.dllinto a printer spooler. - Overall, this is a good dive into the Spooler service and an interesting bug. However, the article is difficult to read because the bulk of it is just background into the Spooler service. I wish that there was a step-by-step on what is needed for the attack.
