PrintDemon vulnerability explained: Its risks and how to mitigate

Microsoft has finally patched the decades-old Windows PrintDemon vulnerability, but exploitable devices might still be on your network.

CSO  >  Antivirus symbol on binary background
Arkadiusz Wargua / Getty Images

Microsoft’s May 2020 update patched some 111 vulnerabilities including one for Windows Print Spooler. That vulnerability, discovered by Peleg Hadar and Tomer Bar of SafeBreach Labs,  caught the eye of security experts, as hackers can exploit it to elevate privileges and execute arbitrary code. Dubbed PrintDemon and known by CVE-2020-1048, the flaw impacts all Windows versions released since 1996.

Interestingly, the bug was previously exploited by the notorious Stuxnet virus. It was even “fixed” yet continued to lurk in Windows systems. It has finally been extinguished – so we hope.

What is PrintDemon?

If you’ve been around since early Windows days, you remember installing “drivers” when plugging in a new printer. These arrived on CD-ROMs and floppy disks shipped with printers and made available online by the vendors. The drivers facilitate communication among the printer, OS and intermediary components to deliver a finished, slick printout.

To make things easier for the vendors, Microsoft now offers its own generic set of drivers, APIs and libraries that printer manufacturers can use and extend. The Windows Print Spooler service (“spoolsv.exe”) is one such service bundled with every Windows version. It serves as an interface between the OS, software components, printer drivers, and printer. It’s the magic that queues and forwards your print jobs, tracks their progress, and communicates these events between user applications and the printer. The spooler is implemented as a service daemon, from which the moniker, PrintDemon, is derived. 

PrintDemon technical overview

Exploiting the flaw relies on three facts:

  • Non-administrative users can add printers to a Windows machine.
  • The underlying mechanics make it possible to print to a file rather than a physical printing device.
  • Crucial printing services on Windows run with SYSTEM privileges.

The key behind many exploits involving printers is this overlooked functionality in printer drivers, a remnant of old times: When configuring printers, you are asked to choose a port where the printer resides and where print jobs should be sent to. The port, however, need not be a physical LPT (parallel) or USB port. A local virtual port on the system is just as valid. Recall FILE: port (or PORTPROMPT: on Windows 8 and above), the same functionality that powers “print to PDF” software drivers.

Additionally, spoolsv.exe, like some other Windows components, runs with system privileges. If you can trick the print daemon into “printing” malicious commands or a file to a FILE: port that leads to an existing system file (a crucial DLL or EXE) and not a physical printing device, you have just hit the jackpot. For example, should the system DLL be overwritten during the process with your malicious code, every time Windows boots and attempts to load that core DLL, it’ll be your malicious DLL that is spun up instead.

“What we’ve shown so far is that with very subtle file system modifications, you can achieve file copy/write behavior that is not attributable to any process, especially after a reboot, unless some EDR/DFIR [endpoint detection and response/digital forensics and incident response] software somehow knew to monitor the creation of the SHD file and understood its importance. With a carefully crafted port name, you can imagine simply having the Spooler drop a PE [portable executable] file anywhere on disk for you (assuming you have access to the location),” stated security researchers Alex Ionescu and Yarden Shafir of Winsider in a blog post.

Although security checks and failsafe mechanisms have been built into Windows Spooler over the last decade to prevent such abuse, these clearly fell short in patching PrintDemon. “This bug is probably one of our favorites in Windows history … due to its simplicity and age — completely broken in original versions of Windows, hardened after Stuxnet… yet still broken,” the researchers further commented.

Why PrintDemon matters to your enterprise

According to Kaspersky, 48% of small- to medium-sized businesses still use Windows XP and 7, support for which was officially terminated in April 2014 and January 2020, respectively. Windows Server editions power up to 72.1% of servers worldwide. Your organization is therefore realistically at risk of being impacted by bugs like PrintDemon and several others announced in the May 2020 update advisory.

The privilege escalation flaw requires that the attacker have at least some basic level of access to the system. On first glance that may provide relief to sysadmins and IT/ops professionals, but that doesn’t preclude this vulnerability from being incorporated as one of the pieces in larger, sophisticated chained attacks and APT campaigns.

It’s easy to phish someone's enterprise credentials and access the user’s Active Directory (AD) account. That’s all an attacker needs to silently kickstart the groundwork for configure malicious printers and ports on any system the compromised user account is authorized to access.

As a former SOC analyst watching over leading healthcare and finance brands, I observed the daily volume of phishing scams that made their way to employees’ inboxes. A significant percentage of users, including physicians with access to critical systems, fell for them, revealing their credentials. We would then pull such phishing emails out of every Outlook mailbox, reset compromised credentials, and thoroughly scan the machines that could have been accessed by an attacker.

Because of how enterprise networks are typically configured — interconnected applications using the same AD or LDAP credentials across Windows domain, Outlook, SharePoint, Teams, and mission critical systems, all powered by the same username and password — the possibilities for what attackers can gain are endless. A basic-level user domain account when compromised and infused with such an exploit rapidly gives the attacker the ability to infiltrate even more sensitive networked systems and to execute commands with elevated privileges.

PrintDemon attacks may take more than a single line of code and well-timed planning to execute. However, a thorough writeup and proof of concept (PoC) by Ionescu and Shafir demonstrate just how, and what’s in it for hackers.

How to mitigate PrintDemon

The obvious advice is to apply regular updates and patches, including the May 2020 set published by Microsoft. The patches prevent new malicious ports and printers from being added, but do not necessarily remove existing ones. Do a thorough sweep of compromised systems and search for rogue printer drivers and ports.

"The simplest solution to prevent this vulnerability from being exploited is to stop and disable the print spooler service where possible,” advises Tal Morgenstern, CPO of Vulcan Cyber, a vulnerability remediation company. “Generally speaking, many servers and some workstations don’t need print functionality at all. This will mitigate the vulnerability and minimize the attack surface for those devices.”

“For workstations required to print, monitoring for changes [and preventing write access to the following registry value] would validate if someone is trying to exploit this vulnerability, and deleting new values will stop the exploitation,” adds Morgenstern. The registry key he’s referring to is:


For domain accounts, “Organizations should use Microsoft’s Group Policy feature to disable user printer creation. This might be a challenge given that many employees are working from home right now, so my suggestion would be to apply patches in the normal cycle,” suggests Jonathan Cran, head of research at Kenna Security.

Reviewing and updating legacy systems

Discovery of vulnerabilities like these opens up room for discussion surrounding use of legacy products by your enterprise. There are often well-documented business reasons for continuing to run an older Windows 2008 server, for example, which has reached its end-of-life in terms of updates, support and software compatibility.

From a managerial standpoint, it makes sense to divert budget and resources towards development of newer applications, than allocate time and effort on migrating an older system to its later counterpart, unless an absolute business need warrants doing so. Delaying the transition, however, carries increased risks of exposure to known and unknown vulnerabilities impacting dated components.

“Vulnerability remediation should be looked at in complete context. Age of the vulnerability is one factor, but old vulnerabilities can still be exploited. Organizations should use risk-based prioritization that considers asset details and importance to the business, its exposure to threat origins and exploit activity in the wild, among other items,” says Sivan Nir, threat intelligence team leader at Skybox Security.

It also makes sense to refer to some frameworks designed to help assess, manage and replace legacy systems altogether. You may be surprised to find that the hidden costs of running a legacy system might be much higher than upgrading.

Brian Wrozek, CISO at Optiv Security says, “The first step is to aggressively sunset legacy solutions and ensure this analysis is part of your yearly strategic planning and budgeting efforts.” He further suggests to “harden, isolate and minimize the system by restricting access and usage to just those specific tasks required by the legacy solution, and to routinely review [with the executive team systems] that are exceptions to your policies or represent elevated risk to the organization.”

A comprehensive information security assurance policy for your company should set out processes for reviewing and analyzing legacy systems from time to time and what the upgrade path entails. Phasing out an older system in planned stages may seem like unnecessary overhead, but it cannot be ignored in times where security breaches dominate the headlines.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)