At the recent Black Hat conference, Peleg Hadar and Tumar Bar of SafeBreach Labs pointed out that the way to a network’s heart is often through its printers. In 2010, one of the vulnerabilities Stuxnet used was a remote code execution on a computer with printer sharing enabled. To reach Iran’s centrifuges, Stuxnet exploited a vulnerability in the Windows Print Spooler service to gain code execution as NT AUTHORITYSYSTEM.
The method Stuxnet used to propagate across the network is still possible. In fact, Hadar and Bar announced that the security updates that Microsoft released in August includes a fix for a printer vulnerability that they discovered. A proof of concept of their findings has been posted to GitHub along with the tools they used.
In May, Yarden Shafir and Alex Ionescu released a whitepaper called PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth that showcased the interesting ways Print Spooler can be used to elevate privileges, bypass endpoint detection and response (EDR) rules, and gain persistence. Attackers often look for new and unusual ways to attack systems. The Spooler service, implemented in Spoolsv.exe, is appealing to them becaust it runs with SYSTEM privileges and is network accessible. Shafir and Ionescu point out that attackers look for the following attack vectors:
- Printing to a file in a privileged location, hoping Spooler will do that
- Loading a “printer driver” that’s actually malicious
- Dropping files remotely using Spooler RPC APIs
- Injecting malicious “printer drivers” from remote systems
- Abusing file parsing bugs in EMF/XPS spooler files to gain code execution
Starting in Vista, Windows does not require admin rights to install printer drivers if the driver is a pre-existing inbox driver. Absolutely no privileges are needed to install a printer driver.
