search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files

Vulnerability Note VU#131152

Original Release Date: 2021-07-18 | Last Revised: 2021-07-19

Overview

Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.

Description

Microsoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with SYSTEM privileges via the Print Spooler service. This ability is achieved through a capability called Point and Print. Starting with the update for MS16-087, Microsoft requires that printers installable via Point are either signed by a WHQL release signature, or are signed by a certificate that is explicitly trusted by the target system, such as an installed test signing certificate. The intention for this change is to avoid installation of malicious printer drivers, which can allow for Local Privilege Escalation (LPE) to SYSTEM.

While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a CopyFiles directive for arbitrary ICM files. These files, which may be copied over alongside the digital-signature-enforced printer driver files are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for LPE to SYSTEM on a vulnerable system.

An exploit for this vulnerability is publicly available.

Impact

By connecting to a malicious printer, an attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Block outbound SMB traffic at your network boundary

Public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. Note that Microsoft indicates that printers can be shared via the [MS-WPRN] Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic. Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.

Configure PackagePointAndPrintServerList

Microsoft Windows has a Group Policy called "Package Point and Print - Approved servers", which is reflected in the HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values. This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent installation of printers from arbitrary servers.

Acknowledgements

This vulnerability was publicly disclosed by Benjamin Delpy.

This document was written by Will Dormann.

Vendor Information

131152
 

Microsoft Affected

Notified:  2021-07-18 Updated: 2021-07-18

VU#131152.1 Affected

Vendor Statement

We have not received a statement from the vendor.


Other Information

Date Public: 2021-07-18
Date First Published: 2021-07-18
Date Last Updated: 2021-07-19 18:59 UTC
Document Revision: 4

Sponsored by CISA.