Microsoft’s monthly Patch Tuesday already occurred this month, so you know what that means – more disclosed vulnerabilities. This iteration of patches included fixes for a combined 70 vulnerabilities, including one zero-day. Thankfully, none of these fall into Microsoft’s “critical” category. However, there are four Elevation of Privilege vulnerabilities targeting the Windows Print Spooler service that may have gone unnoticed by many. This post will summarize how Microsoft continues to battle with bugs related to the Print Spooler service and briefly examine how SpoolFool (CVE-2022-21999) has piggybacked from previous vulnerabilities to bypass Microsoft’s defenses.
The Print Spooler, or just Spooler, is the primary component within Windows that allows users to interface with printers. This includes driver management for various printers, the creation of print jobs, and data encoding. Microsoft introduced the Spooler more than 20 years ago during the early days of Windows NT and has been included with all future Windows operating systems since. Its age could, arguably, be a contributing factor to its misfortunes. However, the Spooler is an attack vector ripe for exploitation because it is a feature that is enabled by default on all Windows operating systems and was moved into kernel mode, from user-mode, in Windows NT 4. Thus, a successful exploit on a Spooler service vulnerability would likely be severe.
This was evident when one of the four vulnerabilities disclosed upon the discovery of Stuxnet was a Spooler vulnerability, which was known to Microsoft at the time. The Stuxnet malware exploited the Spooler service to perform code execution as NT AUTHORITY\SYSTEM, the account with the highest privileges in Windows. It doesn’t stop there, though, as Microsoft has been battling several vulnerabilities within the Spooler service for the past three years. The first of which is known as PrintDemon (CVE-2020-1048).
PrintDemon, which was disclosed and patched in May 2020, allowed an attacker to “write an arbitrary file by creating a printer port that pointed to a file on a disk”. Essentially, an attacker could drop malware on a system and execute it, unhindered. Microsoft patched this flaw by checking permissions before allowing a user to add a port. PrintDemon seemed to have inspired researchers to look at the Print Spooler further as it only took a week for VoidSec to bypass the PrintDemon fix by using a symbolic link to circumvent to security check. Furthermore, there were seven separate disclosures to Microsoft that exploited this same bug. This bypass, designated as CVE-2020-1337, was eventually patched in August 2020. The next month, in September, Microsoft patched another vulnerability that allowed an attacker to create a file or directory by “configuring the SpoolDirectory attribute on a printer” and designated it with CVE-2020-1030. Microsoft’s solution? Apply a permissions check to see if the current user had privileges to create the file or directory, respectively.
It took longer than a week, but in July 2021, researchers found another zero-day vulnerability dubbed PrintNightmare (CVE-2021-34527). For PrintNightmare to be exploited, an attacker must be authenticated. However, once this is achieved the attacker can run code as NT AUTHORITY\SYSTEM. This is possible because Windows would fail to restrict access to the functionality that allows a user to add printers and drivers.
That brings us to the next iteration of vulnerabilities that has plagued the Spooler service for the past three years with SpoolFool. As I stated, SpoolFool was disclosed last Tuesday with Microsoft’s monthly patching and has been designated as CVE-2022-21999. SpoolFool is actually two bypasses for CVE-2020-1030, which I touched on earlier. Just as the prior vulnerability bypassed a permission check, SpoolFool daisy chains off of this idea and performs another permissions-check bypass to write an arbitrary file using symbolic links. Although, I will admit, there is much more to this exploit, and I highly encourage you to read Oliver Lyak’s technical write-up on how he bypassed this vulnerability.
At this rate, it would be naïve to assume that this is the last we have heard of vulnerabilities with Windows’ Print Spooler service. Not only is it one of the oldest components in Windows, but it allows attackers full system access if properly exploited and, unless a user or organization has disabled this feature, it is likely enabled because it is so by default. SpoolFool and the vulnerabilities before them have been fixed, but I’m willing to bet this saga isn’t over.
If you are interested in learning more about the Print Spooler service and the resources I used to write this post, they can be found in the references below.
References:
Microsoft Documents
https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler
https://docs.microsoft.com/en-us/windows-hardware/drivers/print/print-spooler-architecture
Vulnerability and Exploit Reports
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
Exploit Proofs-of-Concept
https://github.com/ionescu007/faxhell
https://github.com/ionescu007/PrintDemon
https://github.com/ly4k/SpoolFool
https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527
CVEs
CVE-2020-1030, CVE-2020-1048, CVE-2020-1300, CVE-2020-1337, CVE-2020-17042, CVE-2021-1640, CVE-2021-1675, CVE-2021-34481, CVE-2021-34483, CVE-2021-34527, CVE-2021-36936, CVE-2021-36958, CVE-2021-38671, CVE-2022-21997, CVE-2022-21999, CVE-2022-22717, CVE-2022-22718