8.8 - VU#131152

Overview

Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.

Description

Microsoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with SYSTEM privileges via the Print Spooler service. This ability is achieved through a capability called Point and Print. Starting with the update for MS16-087, Microsoft requires that printers installable via Point are either signed by a WHQL release signature, or are signed by a certificate that is explicitly trusted by the target system, such as an installed test signing certificate. The intention for this change is to avoid installation of malicious printer drivers, which can allow for Local Privilege Escalation (LPE) to SYSTEM.

While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a CopyFiles directive for arbitrary files. These files, which may be copied over alongside the digital-signature-enforced printer driver files are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. The remote printer can also be configured to automatically execute code in any files dropped by the CopyFiles directive. This can allow for LPE to SYSTEM on a vulnerable system.

An exploit for this vulnerability is publicly available.

Impact

By connecting to a malicious printer, an attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Solution

Microsoft has published updates for CVE-2021-36958 regarding this issue. Please also consider the following workarounds:

Block outbound SMB traffic at your network boundary

Public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. Note that an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.

Configure both PackagePointAndPrintServerList and PackagePointAndPrintOnly settings

Microsoft Windows has a Group Policy called "Package Point and Print - Approved servers", which is reflected in the HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values. This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent installation of printers from arbitrary servers.

To ensure that Microsoft Windows only attempts to install Package Point and Print printers, and therefore restricting printer connections to the approved servers list, you must also set the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintOnly registry value to 1. The Group Policy setting that corresponds to this value is called "Use only Package Point and print". Setting this value to "Enabled" will enforce that only Package Point and Print printers will be used.

Both of these settings must be configured to protect against exploitation of this vulnerability.

Block the ability to modify the print spooler drivers directory

Courtesy of the TRUESEC Blog, this vulnerability can be mitigated by preventing the SYSTEM account from being able to modify the C:\Windows\System32\spool\drivers directory contents.

To enable this mitigation, from a privileged PowerShell session, run:

$Path = "C:\Windows\System32\spool\drivers" $Acl = (Get-Item $Path).GetAccessControl('Access') $Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny") $Acl.AddAccessRule($Ar) Set-Acl $Path $Acl 

To revert the mitigation to allow printer driver installation or modification, run:

$Path = "C:\Windows\System32\spool\drivers" $Acl = (Get-Item $Path).GetAccessControl('Access') $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny") $Acl.RemoveAccessRule($Ar) Set-Acl $Path $Acl 

Stop and disable the Print Spooler

The Print Spooler can be disabled in a privileged PowerShell session by running the following commands:

Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled 

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Acknowledgements

This vulnerability was publicly disclosed by Benjamin Delpy. Microsoft credits Victor Mata with reporting this issue to them.

This document was written by Will Dormann.