Another Unpatched Zero-day Vulnerability Found in Windows Print Spooler

A few days back Microsoft had issued a warning about a new privilege escalation vulnerability found in the Windows Print Spooler.

And now, Benjamin Delpy, the producer of the Mimikatz tool, has recently released some key details about another possible vulnerability in the Windows Print Spooler.

A Remote Print Server Was Used to Attack

The vulnerability allows arbitrary code to be executed with SYSTEM privileges by using a specially crafted malicious remote print server, as claimed by Benjamin Delpy. 

Here, the exploit developed by the expert uses a feature known as “Queue-Specific” Files to automatically load and execute the DLL files.

Further, Delpy asserted that by exploiting this functionality, easily a threat actor can load a malicious DLL when a client connects to a remote print server that is controlled by the threat actor. 

Now at this point, the security researcher explained that to execute any command on the infected computer, the malicious DLLs will run with SYSTEM privileges.

Impact

According to Will Dormann, a CERT analyst, the driver packages of Windows require to be signed by a trusted source, but, here, which files will be associated with a specific print queue could be specified by the drivers.

To make it more clear, the analysts explained that a shared printer can specify a CopyFiles folder for arbitrary ICM files, and all these files are copied over digitally signed print drivers, which means they are not signed digitally.

So, here, for this reason, over the Point and Print process, any file can be copied to the client system. What it implies is that any printer with SYSTEM privileges can use this file.

In short, by exploiting this flaw, a threat actor can easily execute arbitrary code on a vulnerable system with SYSTEM privileges.

Mitigations

Currently, there is no specific fix for this vulnerability, but, as a precautionary measure, experts have recommended few security measures to combat and prevent the installation of printers from arbitrary servers and block incoming SMB traffic.

The cybersecurity researchers, Delpy and Dormann have recommended two mitigating methods and here they are mentioned below:-

  • Block outbound SMB traffic at your network boundary
  • Configure PackagePointAndPrintServerList

Moreover, the experts have concluded that this vulnerability is dangerous since it affects all supported versions of Windows.

Not only that even it also allows an attacker with limited access to the system to escalated rights and propel through the network, along with gaining entrance access to a domain controller.

While apart from this, the researchers have asserted that it is not yet known if there is a link between the above vulnerability and the CVE-2021-34481 (a local privilege escalation (LPE) flaw) that is reported last week by Microsoft.

Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.