Researchers warn of new leak in Windows Print Spooler

Researchers warn of new leak in Windows Print Spooler

Researchers warn of a new vulnerability in the Windows Print Spooler that could allow an attacker to execute code with system privileges when connecting to a malicious printer. A security update from Microsoft is not yet available.

It is now the fourth vulnerability in the Windows Print Spooler that has been found in a short time. The print spooler is responsible for processing print jobs on the system. Earlier this month, Microsoft released an update for a vulnerability in its Windows component, designated CVE-2021-1675. Subsequently, a second vulnerability is known as CVE-2021-34527 and PrintNightmare was discovered.

Last week, Microsoft announced another vulnerability in the Print Spooler, which was assigned CVE number CVE-2021-34481. Now researchers report that another vulnerability has been found in the Print Spooler for which an exploit is available on the internet.

Windows allows users without administrator privileges to install printer drivers, which run through the Print Spooler service with system privileges. This is possible through a feature called Point and Click. Drivers installed via Point and Click must be signed by Microsoft or a certificate that the system trusts. This should prevent the installation of rogue printer drivers.

The drivers must then be digitally signed, drivers themselves can queue certain files that do not need to be digitally signed. By connecting to a rogue printer, it is possible to automatically download and run rogue dll files on the system. These dll files are then executed with system privileges. Thus, an attacker with reduced privileges can easily gain full control over the system.

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University says there is as yet no "practical solution" to the problem. However, there are several workarounds, such as blocking outgoing SMB traffic and setting a policy that limits which servers users can install printers via Point and Print. The policy ensures that no printers can be installed via arbitrary servers.

In the video below, researcher Benjamin Delpy demonstrates the vulnerability.

Previous Post Next Post