How we bypassed CVE-2020-1048 Patch and got CVE-2020-1337
Created: January 2020
Updated: June 2020
Table of Contents
When we originally found the Print Spooler LPE vulnerability in January 2020 on Windows 10, we also tried to exploit it on Windows 7 and Windows 8.
It didn’t work at the beginning so we looked for a workaround. Once we found a workaround, we reported it to MSRC.
In May 2020, Microsoft patched the LPE vulnerability. When we examined the patch, we understood that:
It appeared that MSRC accidentally missed our workaround. Therefore, we reported it again. MSRC assigned this issue CVE-2020-1337. Now that the patch has been deployed, we are allowed to share the technical details.
This is the original write-up which we wrote for the Windows 7 workaround. We subsequently found that it worked with Windows 10, bypassing the CVE-2020-1048 patch!
We achieved local privilege escalation on Windows 10 and became curious whether or not the vulnerability we found also works on a previous version of Windows, as the Print Spooler mechanism is very old.
Local privilege escalation required a local port and a printer under the context of an unprivileged user. We could not create them using PowerShell because the printmanagement module doesn’t exist in Windows 7.
In order to add a local port, we wrote a C program using the OpenPrinter, XcvData and ClosePrinter functions:We tried to create a port named
It failed to add the port. Apparently the Spooler checks if we have access to the path of the port (obviously we don’t.)
As we know how the Spooler is implemented, we suspected a TOCTOU (Time-of-Check to Time-to-Use) issue.
We knew that the port-adding logic (which validates if we have access to the file we want to print to) isn't related to the printing process itself (which writes the file)! Therefore, if we found a way to pass the port-adding verification successfully, we would be able to write a file to System32.
So we did the following:
-Created a dummy folder which we have access to
-Created a local port which resides in the dummy folder (e.g.
==== TOCTOU =====
Let us try to explain the steps:
This way, when the Spooler tries to print to the folder using our vulnerability, it actually tries to write to System32, and it will have the permission to do so because it’s running as SYSTEM!
We created a c:\temp2\wbem dummy folder and created the following local port
It worked! We now have a printer port which we can use in order to write files to System32.
After we created the port and deleted the dummy folder, we used James Forshaw’s CreateMountPoint tool in order to create a mount point in c:\temp2 which points to c:\windows\System32:
Now let’s try to print by copying our SHD and SPL (DLL) files, and restart the computer.
It worked! We achieved privilege escalation to SYSTEM, and code execution by