Discovered by researchers at Vectra Networks, the exploit is believed to have existed for 20 years, dating back to Windows 95. It lies in Microsoft’s Web Point-and-Print Protocol, a component of the Windows Print Spooler that allows companies to store the drivers for their printers on a shared server. It is designed to simplify the process of connecting multiple computers to a single printer, giving the user the ability to print documents without requiring elevated access.
When a printer is used for the first time on a device, Point-and-Print downloads the required driver from the shared repository, without requiring the user to enter credentials. However, this system introduces some serious vulnerabilities.
Usually, User Account Control prevents users from installing drivers. To simplify the printing process, Point-and-Print adds an exception to this rule, making it possible to install printer drivers without verification. Since the drivers are distributed as executable files, a hacker could place a malicious program in the directory and install it on a user’s computer.
Point-and-Print makes it significantly easier to send documents to printers on a network. It is also a system that allows programs to be downloaded from a network drive and run as a system user, without displaying any warning to the user. “From an attacker perspective, this is almost too good to be true,” said Vectra in a blog post.
In testing, the company successfully exploited the vulnerability on a real printer. By studying a firmware update package, Vectra could determine where to look for the printer drivers. It was then able to modify the applicable driver and inject malware into it. With that done, the file was placed back onto the network. This could be done using stolen network credentials or via physical access to the server or printer.
To test if the malware would install successfully, Vectra ran its exploit on Windows XP and Windows 7 machines. After adding the printer to the computer, Windows automatically downloaded the driver from the network. No user warning or request for verification was displayed. The infected driver was installed, infiltrating the system with malware that the attackers could use to gain access to the entire network.
“This attack results in having “system” rights on any workstation that connect to your printer. We are effectively transforming a printer in an internal drive-by exploit kit, where we can just wait for people to come get infected without any warning,” said Vectra. “On a print server, cups or Microsoft, we could expect to have anti-virus, file integrity check, or other solution to monitor the host and change to it. However a printer driver is much less likely to have any of those defenses in place. Not only will that unit be able to infect multiple machines in your network, but it would also be able to reinfect over and over.”
Vectra contacted Microsoft with details of the vulnerability. A “Critical” fix has been released for all supported versions of Windows. Windows Print Spooler now writes to the filesystem in a safer way and warns users who attempt to install untrusted printer drivers.
Although the threat of this bug is severe, it does have one major limitation. To be successful, an attacker would first have to access the network or a printer to deploy the modified driver. Vectra warned other attack vectors could also be used, such as creating a fake print server or using the “add printer” dialog to gain control of the system through its privileged access.
Windows users should receive the patch in a standard Windows Update. The fix helps to prevent the vulnerability being exploited but does not completely secure it. Users of unsupported operating systems, including Windows XP, will not receive the update, leaving them at risk of attack via a flaw introduced two decades ago.
