CVE-2009-0229-PoC

PoC for CVE-2009-0229 "Print Spooler Read File Vulnerability" LPE AFR (related to CVE-2020-1048)

Details

Author: Andrei Costin (zveriu@gmail.com)
- https://twitter.com/costinandrei/
PoC date: 2010-xx-xx
Release date: 2020-05-14 (reminded/inspired by CVE-2020-1048 - yes, I am too late to the party :D )
TL;DR
- If you want 0days, dig Printing and Faxing sub-system of OSes :) - lots of legacy code due to historical reasons - there are vulns for everyone =)

Note1: Unverified - unsure 100% is the same bug that triggers the CVE-2009-0229
Note2: Unverified - could work on newer systems like Windows Server 2012 and Windows Server 2016
Note3: All Windows releases come with 4 default "Separator Page" files
- pcl.sep
- pscript.sep
- sysprint.sep
- sysprtj.sep
Note4: This trick is older than Windows 95 =), pretty sure it was used by pros for "stealth info recovery" ;)

(non-admin) local attacker has "printer management rights"
- option1: can add a new printer
- option2: can modify settings of an existing "system wide" printer (many times the case)
"arbitrary file" for exfiltration does not have explicit "Deny Read" permission
- highly unlikely as that would make accessing files for the victim really unpractical/unusable

Local attacker configures any printer s/he has access to so that it uses "Separator Page" file supplied by the attacker (attack.sep), now attacker has "weaponized printer"
- See "Windows "Separator Page" References" below for details
Local attacker crafts the "Separator Page" file (attack.sep) to use the "@F"/"$F" operator, as follows, where the file to be exfiltrated is assumed to be "C:\secret.txt" (notice the \ and the direct concatenation to @F operator)

@
@FC:\\secret.txt

Local attacker needs to print something using the "weaponized" printer above
- For example, local attacker opens Notepad, prints the empty document through the printer configured above with "Separator Page" file
- Local attacker uses the "print to file" (e.g., c:\temp\exfiltrated.out) option when printing - there are "print to file" .ps in most Windows versions + .xps in newer ones (http://ps-2.kev009.com/pcpartnerinfo/ctstips/e94a.htm)
  - This is done so that the content of the exfiltrated file does not go to the printer (though this is also an option), but becomes immediately available to the attacker
Attack improvement: one "Separator Page" file can have a brute-force list of most common filepaths/filenames
There is also @L operator :)
- see my "PostScript: Danger Ahead?!" https://scholar.google.fr/scholar?oi=bibs&hl=en&q=related:RGJbW-sFP9sJ:scholar.google.com/
- see also pscript.sep and sysprint.sep

Found back in 2010 when I was doing "Hacking Printers for Fun and Profit" research/talks
- https://www.youtube.com/watch?v=R56ZXErKCeE
- https://www.youtube.com/watch?v=KrWFOo2RAnk
- https://www.youtube.com/watch?v=JcfxvZml6-Y
- http://andreicostin.com/papers/Conf%20-%20EuSecWest2010_AndreiCostin_HackingPrintersForFunAndProfit_full.pdf
- found independently from CVE-2009-0229 submitter - until today, I did not know there is this CVE-2009-0229 =)), thought I was sitting on a 0day =))
I am pretty sure the Printing and Faxing sub-systems are bug-trapped with vulns back since Windows 3.1 (for historical reasons)