A vulnerability in Microsoft Windows Print Spooler Point and Print with an exploit publicly available has been recently discovered.
With the recent update for MS16-087, Microsoft has mandated that the printers installable via Point, be signed by a WHQL release signature, or a certificate that is explicitly trusted by the target system, such as an installed test signing certificate.
This was introduced to avoid the installation of malicious printers but this update does not address the issue of non-admin users being able to install printer drivers via Point and Print technique which also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.
While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a CopyFiles directive for arbitrary ICM files, which are copied over with the digital-signature-enforced printer driver files are not covered by any signature requirement.
With the above vulnerability, any file can be copied to a client system via Point and Print printer driver installation, where it can be used by another printer. This allows for Local Privilege Escalation (LPE) on a vulnerable system. By connecting to a malicious printer, an attacker may be able to execute arbitrary code with System privileges on a vulnerable system.
Patch status: No patch is available for this vulnerability yet
Workarounds: The following workarounds can be considered
Block outbound SMB traffic at your network boundary: Since the public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. But this doesn't stop a local attacker local who would be able to share a printer via SMB, which are unaffected by any outbound SMB traffic rules.
Configure PackagePointAndPrintServerList: Microsoft Windows has a Group Policy called "Package Point and Print - Approved servers", which is reflected in the
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values.
This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent the installation of printers from arbitrary servers.