The patched version of spoolsv for #PrinterNightmare is interesting. The call to YIsElevated seems to be an admin check is disguise, basically only admins can open the process token for TOKEN_QUERY, which if fails will return FALSE even if the process token is elevated.
https://twitter.com/GabrielLandau/status/1410621985495961600
It'll then check if elevation is required from the NoWarningNoElevationOnInstall is enabled. If YIsElevated returns FALSE and YIsElevationRequired returns TRUE then it's based on the result of RunningAsLUA.
This is where the impersonation token is checked. If the caller's token is a Limited token then the result is TRUE. If a Full token it's FALSE. However if it's a Default token (which is what you get as a network token) it's based on the value of elevation.
And their is the bug, because the caller is from the network it gets a Default token. As the caller is also by in the 2000 compat group the token is considered elevated, therefore the 0x8000 isn't unset.
Setting NoWarningNoElevationOnInstall should enable the bug again. Also if for some reason the caller has access TOKEN_QUERY access to the spooler service's token that's also a bypass. You could also bypass locally on Win8 I think but it would effectively by a UAC bypass ;-)
One more fun finding, if you're the type of person to disable UAC completely (not just turning off the prompting, but totally disabled) then the "fix" also breaks. Perhaps this is why some people see it working on their test machines?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
