Is the Windows Print Spooler Any Safer 8 Years After Stuxnet?
While completing my masters program in Information Assurance at University of Maryland this past Spring , I was asked to research the Windows Print Spooler for vulnerabilities. It was during this research I was surprised to see Microsoft conducting less-than robust patching practices against an insidious vulnerability. Before we dive into the specifics of what the vulnerability allows, we must first review what the Windows Print Spooler does.
It’s the program utilized by Microsoft operating systems to pass data to the printer (a necessity given how fast the CPU operates and how slow Input / Output (I/O) devices like printers operate). To streamline the usage of printers, Microsoft has always allowed users, regardless of access level, the ability to install printer drivers. Starting with Windows 2000, Microsoft added the Point-and-Print protocol to allow users to connect to a printer and automatically download the driver stored on the printer over a LAN connection (Microsoft, 2017). Then in 2007, Microsoft extended this functionality further with the Web Point-and-Print protocol. This HTTP based protocol allows Windows users to download printer drivers directly from print servers and websites (Microsoft, 2017).
With no restrictions on the installation of printer drivers and support for remotely downloading drivers, the only line of defense for users against installation of tainted driver files was the Windows Printer Spooler itself. The spooler was supposed to authenticate printer drivers before installation, and unfortunately that process was flawed, meaning unauthenticated drivers could be run (ENISA, 2016). The consequence of Microsoft’s design choices and sloppy coding is simple to sum up. For over 20 years, every computer in the world running a Windows-based operating system was vulnerable to an attack.
According to ENISA (2016), the first attack that could be executed because of this vulnerability is one in which the driver stored on a printer or print server is compromised. A Vectra security researcher named Nick Beauchesne (2016) determined that it was possible using publicly available information to compromise a physical printer easily. First, he analyzed a vendor created firmware update from a printer and used it to determine that printer’s system layout to find its stored default credentials (ENISA, 2016). Then, he manipulated the printer itself, by first adding in a malicious payload to a driver update and using the earlier obtained printer credentials to gain root access and placed it on the printer (ENISA, 2016). For companies which utilize a print server, Beauchesne (2016) was able to execute this attack if they simply had administrative access to the server and just placed the tainted driver there. An attack of this nature can be used to execute unauthorized code; and as such means that essentially anything a malicious actor wants to install can be; from a virus to a keylogger, on the host that installs the driver. The result is a total loss of data confidentiality for information stored or accessible from the host because privacy can’t be ensured. It could also lead to data integrity problems, since covertly installed applications could alter data being transmitted from targeted hosts. This is more-less how Stuxnet altered data being transmitted to centrally located monitoring software, being that Stuxnet literally leveraged a previous spooling vulnerability to propagate itself into Iran’s nuclear industrial complex years earlier (Keizer, 2010). Additionally, attacks such as this can allow unauthorized access if they’re able to collect user credentials on the host.
The second attack that can be conducted due to this vulnerability is done when a malicious actor spoofs a printer on a network (ENISA, 2016). All this would require is access to the intranet and a seemingly convincing printer name. Users thinking the printer is real (or perhaps newly added) would than be served the tainted printer driver, which is downloaded and installed again without any user confirmation or permission after connecting to the printer automatically by Microsoft’s Point-and-Print functionality (ENISA, 2016). This again could result in a loss of data confidentiality, data integrity and unauthorized access.
The third attack which can be executed is called a man in the middle attack (ENISA, 2016). This type of attack refers to a malicious actor’s ability to monitor and alter communication between two devices in secret. The attack is possible if a malicious actor has network access and simply waits to intercept a real driver installation request passing through the network (ENISA, 2016). By quickly responding with its own tainted driver, a malicious actor would compromise the requesting host’s data confidentiality, data integrity and allow for unauthorized access. As a result, this makes this attack actually more covert than the second attack, since it happens completely out of sight from the user.
The final attack that can be executed leverages Microsoft’s Web Point-and-Print protocol called MS-WPRN in order to conduct a watering hole attack (ENISA, 2016). This attack is more complex, as it involves compromising a website you know the targeted host is likely to visit. The attack must first gain authorized access to it and plant malware on the server designed to install the malicious printer drivers to any visitors via the MS-WPRN protocol. Again, because Microsoft displays no installation prompts, this can occur for any user account type and without the user knowing. It too would result in losses of data confidentiality, data integrity and could allow for unauthorized access to a targeted host depending on the alterations made to the driver and the exact payload they injected into it.
Although Beauchesne (2016) noted that enterprise class environments which utilize active directory’s default settings are not susceptible to this vulnerability, all other users are, including companies with liberal Bring Your Own Device (BYOD) policies. During the summer of 2016, Microsoft attempted to prevent execution of the flaw without addressing the root cause. Microsoft issued a patch which generates a user prompt asking if users would like to install a printer driver. While this is an improvement over the Window’s Printer Spooler’s previous shadow installation abilities, it doesn’t address the fundamental flaws in confirming driver authenticity before installation. Their response to this vulnerability was pathetic. Although it should be said that printer manufacturers should also be challenged to lock down the printers themselves more so such driver alterations are more difficult to pull off.
Operating System vendors must do a better job to lock down the currently relaxed stance for this functionality. As it stands today, Microsoft has chosen to put a band-aid over a bullet hole. As a result, 8 years after Stuxnet and 2 years after this security vulnerability became public, print job spooling on the Windows operating system remains weakly protected. Until Microsoft gets serious about this vulnerability, users are literally just one mistakenly accepted message prompt away from potentially a total loss of privacy, data integrity and unauthorized access.
Beauchesne, N. (2016, July 12). Own a printer, own a network with point and print drive-by. Vectra. Retrieved from https://blog.vectra.ai/blog/microsoft-windows-printer-wateringhole-attack
European Union Agency for Network and Information Security (ENISA). (2016, July 27). Microsoft Windows Printer Spooler Legacy Vulnerability. European Union Agency for Network and Information Security Retrieved from https://www.enisa.europa.eu/publications/info-notes/microsoft-windows-printer-spooler- legacy-vulnerability
Keizer, G. (2010, September 22). Microsoft confirms its missed Stuxnet print spooler ‘zero-day’. Computer World. Retrieved from https://www.computerworld.com/article/2515799/security0/microsoft-confirms-it-missed-stuxnet-print-spooler–zero-day-.html
Microsoft. (2017, April 20). Introduction to Point and Print. Microsoft. Retrieved from https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print
Microsoft. (2017, September 15). [MS-WPRN]: Web Point-and-Print Protocol. Microsoft Developer Network. Retrieved from https://msdn.microsoft.com/en-us/library/cc251293.aspx
Pro-IT. (2017, July 12). parche-microsoft.jpg. Pro-IT. Retrieved from https://pro-it.es/wp-content/uploads/2013/06/parche-microsoft.jpg