Every month Microsoft releases patches for a wide range of vulnerabilities, some that are quite serious and some that are less so. But few Patch Tuesdays bring a fix for a vulnerability that has the history, lore, and ease of exploitation of the flaw in the Windows Print Spooler that was disclosed yesterday.
The vulnerability (CVE-2020-1048) is not a super complex remote code execution bug buried deep within the guts of Windows, but is instead a humble elevation of privilege flaw sitting in a spot that has not seen too much attention from researchers over the years. At least not publicly. The bug affects many recent versions of Windows, including Windows Server 2008, 2012, 2016, and 2019, as well as Windows 7, 8.1, and 10.
“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Microsoft advisory says.
The Windows print spooler is a service in the operating system that manages the printing process. The service has been in Windows for quite a long time and has not evolved much over the years. It handles the back-end functions of finding and loading the print driver, creating print jobs, and then ultimately printing them. It’s not typically the type of service that would draw much attention from researchers or attackers, but at least one team spent considerable time digging into it about a decade ago: the Stuxnet team.
The Stuxnet worm that hit several nuclear facilities in Iran in 2010 and later spread to Windows PCs in many networks around the world used an exploit for a similar vulnerability in the print spooler service. That flaw was a zero day at the time that Stuxnet was discovered and was one of at least four previously unknown vulnerabilities that the worm used during its infection routine. Stuxnet was an unprecedented discovery, containing exploits for SCADA and industrial control systems as well as Windows, and even 10 years after its emergence is considered one of the more sophisticated pieces of malware ever developed.
"There’s definitely still some dragons hiding.”
The description of the print spooler vulnerability that Stuxnet exploited (CVE-2010-2729) is eerily similar to the one Microsoft patched this week, with the notable exception that the bug from 2010 could lead to remote code execution on Windows XP machines.
“A remote code execution vulnerability exists in the Windows Print Spooler service that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected Windows XP system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts,” the advisory for the older vulnerability says.
While the Stuxnet print spooler flaw was discovered only after the worm did its damage, the newer one was unearthed by researchers at SafeBreach, who reported it to Microsoft. The new bug has drawn the attention of other researchers who have found that it is not only related to the Stuxnet bug, but quite easy to exploit. One line of PowerShell is all it takes to exploit the vulnerability and install a persistent backdoor on a vulnerable system, according to a detailed analysis of the flaw done by Yarden Shafir and Alex Ionescu of Winsider, a Windows consulting and training firm.
“Ironically, the Print Spooler continues to be one of the oldest Windows components that still hasn’t gotten much scrutiny, even though it’s largely unchanged since Windows NT 4, and was even famously abused by Stuxnet,” Shafir and Ionescu said.
“This bug is probably one of our favorites in Windows history, or at least one of our Top 5, due to its simplicity and age — completely broken in original versions of Windows, hardened after Stuxnet… yet still broken.”
The pair also said that they had found and disclosed some other bugs in the same are that have not yet been patched “so there’s definitely still some dragons hiding.”