Evil Printer: How to Hack Windows Machines with Printing Protocol

Presented at DEF CON 28 (2020) Virtual, Aug. 9, 2020, 9:30 a.m. (30 minutes).

Printer Spooler service, one of the important services in Microsoft Windows, has existed for more than 25 years. It runs at highest privilege level, unsandboxed, does networking, and dynamically loads third-party binaries. What could possibly go wrong? In this talk, we will walk you through an incredibly fun bug we have discovered in printer spooler service. It can be exploited both locally and remotely, escapes sandbox, executes arbitrary code, and also elevates to SYSTEM. While Microsoft managed to develop the most restrictive sandbox for Microsoft Edge, this bug easily goes through it like it's a sieve. We will talk in detail the implementation of this ancient service, the method we used to discover and exploit the bug, and also throw in some tips and tricks for logic bugs in between.

Presenters:

  • Chuanda Ding - Senior Researcher, Tencent Security Xuanwu Lab
    Chuanda Ding Chuanda Ding is a senior security researcher on Windows platform security. He leads EcoSec team at Tencent Security Xuanwu Lab. He was a speaker at Black Hat Europe 2018, DEF CON China 2018, CanSecWest 2017, CanSecWest 2016, and QCon Beijing 2016. @FlowerCode_
  • Zhipeng Huo - Senior Researcher, Tencent Security Xuanwu Lab
    Zhipeng Huo Zhipeng Huo is a senior security researcher on Windows and macOS platform security at Tencent Security Xuanwu Lab. He reported Microsoft Edge sandbox escape bugs in 2017, 2018, and 2020. He was a speaker at Black Hat Europe 2018. @R3dF09

Links:

Similar Presentations: