Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer

Presented at Black Hat USA 2021, Aug. 4, 2021, 2:30 p.m. (30 minutes)

Ten years ago, an escalation of privilege bug in Windows Printer Spooler was used in Stuxnet, which is a notorious worm that destroyed the nuclear enrichment centrifuges of Iran and infected more than 45000 networks. In the past ten years, spooler still has an endless stream of vulnerabilities disclosed, some of which are not known to the world, however, they are hidden bombs that could lead to disasters. Therefore, we have focused on spooler over the past months and reaped fruitfully.

The beginning of the research is PrintDemon from which we get inspiration. After digging into this bug deeper, we found a way to bypass the patch of MS. But just after MS released the new version, we immediately found a new way to exploit it again. After the story of PrintDemon, we realized that spooler is still a good attack surface, although security researchers have hunted for bugs in spooler for more than ten years. We started to explore the inner working of Printer Spooler and discovered some 0-day Bugs in it. Some of them are more powerful than PrintDemon and easier to exploit, and the others can be triggered from remote which could lead to remote code execution.

Presenters:

• Lewis Lee - Security Researcher, Sangfor
  Lewis Lee (@LewisLee53) is an intern at Sangfor and a student at South China University of Technology.
• XueFeng Li - Security Researcher, Sangfor
  Xuefeng Li (@lxf02942370) is an intern at Sangfor and a student at South China University of Technology. He has been engaged in Windows vulnerability hunting and exploitation for almost one year and ranked #10 on the MSRC Most Valuable Security Researcher list in 2020.
• Zhiniang Peng - Principal Security Researcher , Sangfor
  <div><span>Dr. Zhiniang Peng (@edwardzpeng) is the Principal Security Researcher at Sangfor. His current research areas include applied cryptography, software security and threat hunting. He has more than 10 years of experience in both offensive and defensive security and published much research in both academia and industry. Dr. Peng also is a bug hunter in his free time, and he has ranked #1 on the MSRC most valuable security researcher list for three consecutive quarters.</span></div>

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#diving-into-spooler-discovering-lpe-and-rce-vulnerabilities-in-windows-printer-23315

Similar Presentations:

• DEF CON 28 (2020) Virtual / Evil Printer: How to Hack Windows Machines with Printing Protocol
• Black Hat USA 2020 Virtual / A Decade After Stuxnet's Printer Vulnerability: Printing is Still the Stairway to Heaven
• DEF CON 28 (2020) Virtual / A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven