On the latest Black Hat convention, Peleg Hadar and Tumar Bar of SafeBreach Labs identified that the best way to a community’s coronary heart is commonly by way of its printers. In 2010, one of many vulnerabilities Stuxnet used was a distant code execution on a pc with printer sharing enabled. To succeed in Iran’s centrifuges, Stuxnet exploited a vulnerability within the Home windows Print Spooler service to realize code execution as NT AUTHORITYSYSTEM.
The tactic Stuxnet used to propagate throughout the community remains to be doable. The truth is, Hadar and Bar introduced that the safety updates that Microsoft launched in August features a repair for a printer vulnerability that they found. A proof of idea of their findings has been posted to GitHub together with the instruments they used.
In Might, Yarden Shafir and Alex Ionescu launched a whitepaper referred to as PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth that showcased the attention-grabbing methods Print Spooler can be utilized to raise privileges, bypass endpoint detection and response (EDR) guidelines, and acquire persistence. Attackers usually search for new and strange methods to assault programs. The Spooler service, applied in Spoolsv.exe, is interesting to them becaust it runs with SYSTEM privileges and is community accessible. Shafir and Ionescu level out that attackers search for the next assault vectors:
- Printing to a file in a privileged location, hoping Spooler will do this
- Loading a “printer driver” that’s really malicious
- Dropping recordsdata remotely utilizing Spooler RPC APIs
- Injecting malicious “printer drivers” from distant programs
- Abusing file parsing bugs in EMF/XPS spooler recordsdata to realize code execution
Beginning in Vista, Home windows doesn’t require admin rights to put in printer drivers if the motive force is a pre-existing inbox driver. Completely no privileges are wanted to put in a printer driver.
