Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:40 PM
Connect Directly

New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet

Researchers find new flaws in the ubiquitous decades-old printer software in Windows, including one that bypasses a recent Microsoft patch.

Ten years after the game-changing Stuxnet attack was first discovered, a Windows printer program it exploited has been found to contain additional dangerous zero-day flaws that could allow an attacker to gain a foothold in the network as a privileged user.

The researchers who discovered the new flaws in Microsoft's ubiquitous Windows Print Spooler service say they wanted to see if there still was a way to game Print Spooler for a Stuxnet 2.0-style attack 10 years after the first known cyberweapon attack was unearthed. "We started digging in, looking at the original Stuxnet propagation, and then we found out there were problems. ... We decided to take the Spooler service to the next level, and eventually we found it was not fully patched," explains Tomer Bar, research team leader at Safe Breach, who along with his colleague Peleg Hadar found the flaws that they plan to detail today at Black Hat USA

Bar and Hadar found three zero-day vulnerabilities in the 20-year-old Windows Print Spooler program, which serves as the interface between a printer and the Windows operating system, loading the print driver, setting up print jobs, and printing. The new, post-Stuxnet vulns include a memory corruption bug that could be used to wage a denial-of-service (DoS) attack and two local privilege escalation bugs. One of the local privilege escalation flaws was patched by Microsoft in May (CVE-2020-1048), but Bar and Hadar found another similar flaw that bypasses that patch. All three vulnerabilities affect all versions of the Windows operating system.

"They're using the same function [as Stuxnet did] but with a little twist," Bar says of the two local privilege-escalation zero-days.

While Stuxnet used a Print Spooler exploit to gain remote access, the local vulnerability found by Bar and Hadar could allow any user to gain the highest privileges on the machine — either as a malicious insider who has physical access to the machine or via an existing remote-access foothold previously obtained by an attacker.

Hadar says while Microsoft's patch for the Stuxnet vulnerability (MS10-061) fixed the remote-attack hole, it didn't address the local privilege-escalation holes. "That's what we focused on and were able to exploit," he says. They found the flaws using good old-fashioned reverse engineering and fuzzing techniques.

Exploiting the flaws is fairly simple, too, the researchers say. They were able to employ PowerShell commands to exploit the vulns.

Along with their findings, the pair are releasing a proof-of-concept that demonstrates how these vulnerabilities that arbitrarily write to a file to escalate user privileges can be thwarted. The purpose is to show how to mitigate such attacks, Hadar says. Organizations can compile and load the proof-of-concept to help them understand how to block these Print Spooler attacks.

Meanwhile, Microsoft informed the researchers that it has no plans to patch the DoS vulnerability, Bar and Hadar say, but sometime after their presentation today, they expect Microsoft to issue a new patch for the local escalation flaw that bypasses the CVE-2020-1048 patch.

Microsoft did not directly respond to questions from Dark Reading about its patching plans or the nature of the flaws. "Coordinated Vulnerability Disclosure (CVD) is the industry best practice to help keep customers safe. We are committed to working with researchers to investigate reports and mitigate impacted devices as soon as possible," according to a statement provided to Dark Reading from a Microsoft spokesperson.

The Zero-Days
An attacker could use the memory corruption vulnerability to impose a DoS attack, merely by crafting a malicious printing file. When Print Spooler processes that file, the exploit causes the print service to crash. "So the most limited [privilege] user in a system can crash the service so that all users cannot print," Bar says.

It can also delete all print jobs that were queued up. "And if you try to restart it, we can crash it all over again," Bar says of the exploit.

While a printer DoS attack may seem less worrisome than other types of attacks, Ron Brash, director of cybersecurity insights at Verve Industrial Protection, says a DoS attack on Print Spooler could affect other operations if they run on the same Windows server, such as Active Directory or file shares.

"They could all get slowed by a resource consumption of a denial-of-service" attack, Brash explains. However, if the systems are configured for redundancy, a DoS would not be as painful. "It might prevent access to reports," for example, and mostly be an inconvenience, he says.

Exploiting the local privilege escalation flaws, meanwhile, only takes about dozen or so commands in Windows, according to the researchers. "The attacker doesn't need to have any special tools. ... He can use only native tools that are installed in Windows," Hadar explains. "Even a limited [privilege] user can come, run a few commands" and become a privileged user, he says.

The vulns, if exploited, could give an attacker a foothold to install malware, access data, or create new privileged user accounts.

Alex Ionescu, chief architect at CrowdStrike, says he's seen some online activity with the Print Spooler flaw CVE-2020-1048, but he thinks it could be from penetration testers or red-team exercises using it rather than in-the-wild attacks. "With the telemetry I've seen, it's out there," he says. "But no, I don't think we've seen any breaches of adversaries actually using this maliciously."

If an attacker already has local access on a machine, this is a simple way to escalate privileges on a server, he says, such as a nation-state establishing a beachhead in a target's network.

But patching this flaw doesn't guarantee a system is safe from attack, he warns. "One of the scary things about this is while the patch removes the ability to exercise the vulnerability," if an attacker has already gained a foothold via the vuln, they can keep attacking the system, he says.

Fixing an older legacy platform like Windows Print Spooler is fraught with tradeoffs, experts say. "It automatically causes compatibility issues: HP and Lexmark, for example, actually have components they produce that live inside Print Spooler," Ionescu says.

"It's the perfect storm of a very old [program] not being designed with security in mind, combined with compatibility issues with millions of printers," he says.

One way to mitigate these types of attacks, Ionescu notes, is to establish a Group Policy setting that prohibits non-privileged users from accessing Windows Print Spooler from their machines — only allowing them to print, for instance.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying th...
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another serv...
PUBLISHED: 2021-05-13
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.