Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenticated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:ProgramDataUniversal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:WindowsSystem32Printing_Admin_Scriptsen-USprnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITYSYSTEM, will inspect the C:ProgramDataUniversal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITYSYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.

You May Also Like