SpoolFool

https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81

TL;DR - These two vulnerabilities, CVE-2020–1048 and CVE-2020–1337, were patched in May and August 2020, respectively. In September 2020, Microsoft patched a different vulnerability in the Print Spooler. In short, this vulnerability allowed users to create arbitrary and writable directories by configuring the SpoolDirectory attribute on a printer. After the patch, the Print Spooler would now check if the user had permissions to create the directory before setting the SpoolDirectory property on a printer. Through SpoolFool exploit, we would allow users to have those permissions by letting him add a remote printer and using it's permissions to fool the spooler to gain privilege escalation.

The Print Spooler provides APIs for managing configuration data such as EnumPrinterData, GetPrinterData, SetPrinterData, and DeletePrinterData. We can modify a printer’s configuration with SetPrinterDataEx. This function requires a printer to be opened with the PRINTER_ACCESS_ADMINISTER access right. If the current user doesn’t have permission to open an existing printer with the PRINTER_ACCESS_ADMINISTER access right, there are two options:

• The user can create a new local printer

• The user can add a remote printer

By default, users in the INTERACTIVE group have the “Manage Server” permission and can therefore create new local printers, as shown below.

Adding a local printer only works on windows 10 and 11 though as INTERACTIVE group is absent on windows servers, so, for servers, a user can add a remote printer!

Scenario:

• User adds a remote printer which would inherit the security properties of the shared printer server.

• So, if remote printer allows EVERYONE to manage the printer, then it is possible to obtain a handle to the printer with the PRINTER_ACCESS_ADMINISTER right.

Attack:

• User creates a shared printer on a different server and grants EVERYONE the right to manage printer

• Add this remote print server on the victim machine which can now be managed by EVERYONE.

• Use these privileges to attain arbitrary code execution as SYSTEM by fooling the SpoolDirectory

NT AUTHORITY\INTERACTIVE

It is a user which exists in the group "USERS" whenever a person logs in locally or using RDP. In Win 10 above, this gets added automatically, but in older systems, upon removing this user, anyone will not be able to login.