Microsoft this week patched more than 40 vulnerabilities in Internet Explorer, Edge, Office, and other products, including a 20-year old issue that made Windows computers vulnerable to botched printers.
Printers have been one of the oldest Internet of Things (IoT) components of enterprise networks and represent a powerful attack vector for cybercriminals, given the large number of vulnerabilities that researchers have discovered in them over time. Recently, researchers discovered that it’s not only the printers themselves that are vulnerable, but Windows systems connecting to these printers are flawed too.
Security researchers at Vectra Threat Labs recently discovered two security issues affecting the Windows Print Spooler Components and say that they allow an attacker to compromise systems via the printer itself. These are a remote code execution flaw (CVE-2016-3238) and an elevation of privilege vulnerability (CVE-2016-3239), both of which were patched by Microsoft this Tuesday.
The bad news, researchers say, is that CVE-2016-3238 is a Critical vulnerability that affects all Windows versions dating back to Windows 95.
“The vulnerability involves the way that client devices interact with network printers, and allows an attacker to execute code at system level either over a local network or the Internet,” Vectra researchers reveal.
In the MS16-087 security bulletin that was published on Tuesday, Microsoft explained that the vulnerability exists because the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers. An attacker exploiting the flaw can take control of an affected system and can install programs, access and modify user data, or create new accounts with full user rights, Microsoft says.
According to Vectra’s researchers, the issue relies on the manner in which devices connect to printers on the network. Instead of pushing all the needed printer drivers to all workstations, the user is directed to the nearest printer and only that driver is installed. Called Point-and-Print, this approach works great from a user perspective, but it is flawed, because it leverages an exception where the driver for the printer is fetched without warning the user.
Basically, researchers say, the workstation grabs an executable from a shared drive and installs it without a User Account Control (UAC) prompt showing up. An attacker could abuse this exception and push its own malicious code to the compromised machine, researchers say.
To test this assumption, the researchers compromised the printer first, to point the workstation to the malicious executable, and revealed that this was easy to achieve, because “it was not too hard to find a bug that provided access to the underlying system.” Other attack scenarios are also possible, including the backdooring of a printer or print server, creating a fake print server, use a MitM attack to inject a backdoored driver instead of the real one, and more.
What’s more, the vulnerability can be abused from the Internet (remotely) as well, by leveraging the Internet printing protocol (IPP) and webpointNprint. “IPP allows for the same mechanism to load driver from the printer,” researchers reveal.