A Decade After Stuxnet's Printer Vulnerability: Printing is Still the Stairway to Heaven

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 11 a.m. (40 minutes).

In 2010, Stuxnet, the most powerful malware in the world revealed itself, causing physical damage to Iranian nuclear enrichment centrifuges. In order to reach Iran's centrifuges, it exploited a vulnerability in the Windows Print Spooler service to gain code execution as NT AUTHORITY\SYSTEM. Due to the hype around this critical vulnerability, we (and probably everyone else) were pretty sure that this attack surface would no longer exist a decade later. We were wrong…<br><br>The first clue was that two out of three vulnerabilities which were involved in Stuxnet were not fully patched. That was the case also for the 3rd vulnerability used in Stuxnet, which we were able to exploit again in a different manner. It appears that Microsoft has barely changed the code of the Windows Print Spooler mechanism over the last 20 years. We started to investigate the Print Spooler mechanism in the latest Windows 10 Insider build and discovered two 0-day vulnerabilities providing LPE as SYSTEM and Denial-of-Service. The first one can also be used as a new, unknown persistence technique.<br><br>In this presentation, we will present:<br><ul><li>Past Stuxnet's vulnerabilities and how they were partially patched (even multiple times)</li><li>The analysis of the 3rd Stuxnet vulnerability in the Windows Print Spooler, which was considered fully patched until now</li><li>A live demo of two 0-day vulnerabilities we discovered in the Windows Print Spooler. One of them works on all the Windows releases from 2000 to Windows 10 (32 and 64-bit); the other works on all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit)</li><li>Our research process, our methodology and home-brewed tools</li><li>A more robust way to mitigate future exploitation of similar vulnerabilities</li><li>Several open-source tools for testing the system against the attack, mitigating it and helping other researchers to challenge this mechanism as well.</li></ul>

Presenters:

  • Peleg Hadar - Senior Security Researcher, SafeBreach Labs
    Peleg Hadar (@peleghd) is a security researcher, having 8+ years of unique experience in the sec field. Currently, he is doing research @SafeBreach Lab after serving in various sec positions @IDF. His experience involved security from many angles: starting with network research, and now mostly software research. Peleg likes to investigate mostly Microsoft Windows components.
  • Tomer Bar - Research Team Leader, SafeBreach Labs
    Tomer Bar is a security researcher and a research team leader with 15+ years of unique experience in the sec field. Currently, he leads the SafeBreach Labs research team. His experience involved vulnerability research, malware analysis, etc.

Links:

Similar Presentations: