Local Privilege Escalation in Spooler Service

vendor:

Unknown

by:

Unknown

N/A

CVSS

HIGH

Privilege Escalation

Unknown

CWE

Product Name: Unknown

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

Local Privilege Escalation in Spooler Service

The spooler service (spoolss.exe) allows local users to add their own dll files and have the spooler run them at SYSTEM level. This could lead to privilege escalation all the way up to Administrator level. The problem is in the function AddPrintProvider(). This exploit will crash the spooler service and copy a custom dll into c:winntsystem32. When the spooler service is restarted, the custom dll is loaded and run at SYTEM level. The 'whoami' binary is run and the results logged in a text file for verification. If the target machine's NT directory is not the default c:winnt, the program will have to be modified.

Mitigation:

Unknown

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/769/info

The spooler service (spoolss.exe) allows local users to add their own dll files and have the spooler run them at SYSTEM level. This could lead to privilege escalation all the way up to Administrator level. The problem is in the function AddPrintProvider(). 

This exploit will crash the spooler service and copy a custom dll into c:\winnt\system32. When the spooler service is restarted, the custom dll is loaded and run at SYTEM level. The 'whoami' binary is run and the results logged in a text file for verification. If the target machine's NT directory is not the default c:\winnt, the program will have to be modified. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19594.zip