" An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application."
What is Print Spooler?
Print spooler is one of the important components of the printing interface that manages the printing process. It is an executable file. After retrieving the correct driver location, it loads the driver. Scheduling print jobs is also another management function performed by print spooler. Enhanced metafile (EMF) is the default data type for a print job. The other data types supported by print spooler are ASCII text and raw data.How vulnerable is the PrintDemon?
According to the report released by researchers, this vulnerability will affect all Windows versions that date back to 1996. In the opinion of the researcher Alex Ionescu, an attacker can exploit this vulnerability with the following single PowerShell command:Add-PrinterPort -Name c:\windows\system32\ualapi.dll
He claims that on an unpatched system, the above-mentioned PowerShell command will install a persistent backdoor and this won't go even after we try to patch the same. But as per Brendan Watters, a Rapid7 researcher, and few other blogs, it is impossible to exploit this vulnerability with a single line comment.
This vulnerability cannot be triggered remotely through the Internet. An attacker can exploit the target system only if he has already logged in to that system. As stated by Microsoft, "An attacker who has user-level access to the system could run arbitrary code with elevated system privileges. The hacker could then install programs; view, modify, or delete data; or create new accounts with full user rights.