Windows Print Spooler Flaws Lead to Code Execution

Microsoft today released six critical bulletins as part of its July Patch Tuesday update, including patches for remote code execution flaws in Windows Print Spooler components.

Networked printers have always posed an interesting attack vector, mostly for academics looking for vulnerabilities, and vandals sending garbage to the print bin.

Microsoft, today, however patched a legitimate vulnerability that an attacker could abuse to attack corporate and home networks.

MS16-087, one of a half-dozen critical security bulletins published today by Microsoft, patches a pair of flaws in Windows Print Spooler components. The most serious of the vulnerabilities patched today can be attacked either with local access to the printer, via drive-by download, or a by spoofing a shared network print server that is then broadcast with auto-discovery.

Researchers at Vectra Networks today disclosed some details on the vulnerability, but did not publish their proof-of-concept code. The flaw, CVE-2016-3238, affects all supported versions of Windows, and allows an attacker to install and execute a driver that acts essentially as a wrapper for malicious code, said Vectra chief security officer Gunter Ollmann.

Microsoft said the Windows Print Spooler service did not properly validate print drivers while installing printers from servers. A second related vulnerability, CVE-2016-3239, allowed for privilege escalation; Microsoft patched the flaw, which allowed attackers to write to the file system.

Ollmann said the way Windows handled printer drivers when users printed documents, added new printers to the network or connected to existing printers, opened the door to abuse. Windows would check for and download new drivers from the printer, inherently trusting the driver, he said.

“The problem is that driver doesn’t need to be a driver,” Ollmann said. “It could be any executable code. The vulnerability allows any attacker to use a printer which has installed a fake driver, or malicious executable, to be automatically installed and execute on any Windows system on that network that is looking for printer or wants to print.”

Ollmann likened the attack scenario to a watering hole attack where the printer lies in wait and victims would unaware download malicious executables onto their machines.

An attacker could also take advantage of the same functionality against devices sharing a virtual printer on the network.

“Anyone connecting to the printer share will download the malicious driver,” Ollmann said. “This moves the attack vector from physical devices to any device on the network capable of hosting a virtual printer image.”

To gain scale, an attacker could also take advantage of Windows’ functionality that allows users to print over the Internet and exploit the flaws in a drive-by download attack where an exploit would be embedded on a webserver and executed via the browser, forcing the compromised machine to install the malicious driver.

“Effectively, the driver is a wrapper around whatever executable you want to run on the machine,” Ollmann said.

Ollmann points out too that while Microsoft has made significant security improvements to its operating system, it has ignored attack vectors such as printer drivers. An attacker could have abused this without fear of detection until now, he said, adding that it shouldn’t take attackers—or Metasploit—long to develop working exploits.

“The nice thing about this vector is that you deploy it once and leave in there; the probability of detection is unlikely,” Ollmann said. “If you’re looking for an example of a persistent threat, this helps establish a new definition.”

Today’s Patch Tuesday load was fairly light. A security update for Microsoft Office, MS16-088, merits attention and includes patches for seven remote code execution vulnerabilities, six of which are memory corruption flaws, affecting Office, SharePoint Server and Office Web Apps.

Microsoft also patched Internet Explorer and Microsoft Edge in MS16-084 and MS16-085 respectively.

The IE flaws are mostly remote code execution issues, but Microsoft also patched a number of privilege escalation, information disclosure and security bypass bugs. None of the vulnerabilities have been publicly disclosed or attacked.

In Edge, Microsoft patched a handful of remote code execution memory corruption flaws in the Chakra JavaScript engine, along with an ASLR bypass, browser memory corruption, information disclosure and spoofing flaws.

Some of the same scripting vulnerabilities were addressed in MS16-086, which patches a flaw in the JScript and VBScript engines in Windows. The flaw allows for remote code execution and affects VBScript 5.7 and JScript 5.8.

Microsoft also pushed out five bulletins it rates as Important:

  • MS16-089: patches a vulnerability in Windows Secure Kernel Mode that leads to information disclosure.
  • MS16-090: patches elevation of privilege flaws in Windows Kernel-Mode Drivers.
  • MS16-091: patches a vulnerability in the .NET framework that could lead to information disclosure.
  • MS16-092: patches flaws in the Windows Kernel, allowing for a security feature bypass.
  • MS16-094: patches a flaw in Secure Boot that allows for a security feature bypass.

Suggested articles