Publicly disclosed vulnerability in Microsoft Windows Print Spooler Point and Print

Publicly disclosed vulnerability in Microsoft Windows Print Spooler Point and Print

Hello everyone,

A vulnerability in Microsoft Windows Print Spooler Point and Print with an exploit publicly available has been recently discovered.


Vulnerability description:

With the recent update for MS16-087, Microsoft has mandated that the printers installable via Point, be signed by a WHQL release signature, or a certificate that is explicitly trusted by the target system, such as an installed test signing certificate.

This was introduced to avoid the installation of malicious printers but this update does not address the issue of non-admin users being able to install printer drivers via Point and Print technique which also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.

While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a CopyFiles directive for arbitrary ICM files, which are copied over with the digital-signature-enforced printer driver files are not covered by any signature requirement.


Impact:

With the above vulnerability, any file can be copied to a client system via Point and Print printer driver installation, where it can be used by another printer. This allows for Local Privilege Escalation (LPE) on a vulnerable system. By connecting to a malicious printer, an attacker may be able to execute arbitrary code with System privileges on a vulnerable system.

 

Patch status: No patch is available for this vulnerability yet

 

Workarounds: The following workarounds can be considered

Block outbound SMB traffic at your network boundary: Since the public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. But this doesn't stop a local attacker local who would be able to share a printer via SMB, which are unaffected by any outbound SMB traffic rules.

Configure PackagePointAndPrintServerList: Microsoft Windows has a Group Policy called "Package Point and Print - Approved servers", which is reflected in the

HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList

and

HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values.

This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent the installation of printers from arbitrary servers.

 

You can find this vulnerability under the 'Zero-day vulnerabilities' tab in Vulnerability Manager Plus' console.

 

Cheers,

The ManageEngine team