Stories
Slash Boxes
Comments

SoylentNews is people

New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet

posted by Fnord666 on Sunday August 09 2020, @05:14PM   Printer-friendly
from the like-swiss-cheese dept.

upstart writes in with an IRC submission:

New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet:

Ten years after the game-changing Stuxnet attack was first discovered, a Windows printer program it exploited has been found to contain additional dangerous zero-day flaws that could allow an attacker to gain a foothold in the network as a privileged user.

The researchers who discovered the new flaws in Microsoft's ubiquitous Windows Print Spooler service say they wanted to see if there still was a way to game Print Spooler for a Stuxnet 2.0-style attack 10 years after the first known cyberweapon attack was unearthed. "We started digging in, looking at the original Stuxnet propagation, and then we found out there were problems. ... We decided to take the Spooler service to the next level, and eventually we found it was not fully patched," explains Tomer Bar, research team leader at Safe Breach, who along with his colleague Peleg Hadar found the flaws that they plan to detail today at Black Hat USA.

Bar and Hadar found three zero-day vulnerabilities in the 20-year-old Windows Print Spooler program, which serves as the interface between a printer and the Windows operating system, loading the print driver, setting up print jobs, and printing. The new, post-Stuxnet vulns include a memory corruption bug that could be used to wage a denial-of-service (DoS) attack and two local privilege escalation bugs. One of the local privilege escalation flaws was patched by Microsoft in May (CVE-2020-1048), but Bar and Hadar found another similar flaw that bypasses that patch. All three vulnerabilities affect all versions of the Windows operating system.

"They're using the same function [as Stuxnet did] but with a little twist," Bar says of the two local privilege-escalation zero-days.

While Stuxnet used a Print Spooler exploit to gain remote access, the local vulnerability found by Bar and Hadar could allow any user to gain the highest privileges on the machine — either as a malicious insider who has physical access to the machine or via an existing remote-access foothold previously obtained by an attacker.

Hadar says while Microsoft's patch for the Stuxnet vulnerability (MS10-061) fixed the remote-attack hole, it didn't address the local privilege-escalation holes. "That's what we focused on and were able to exploit," he says. They found the flaws using good old-fashioned reverse engineering and fuzzing techniques.

Exploiting the flaws is fairly simple, too, the researchers say. They were able to employ PowerShell commands to exploit the vulns.

Original Submission

 
This discussion has been archived. No new comments can be posted.
New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by driverless on Monday August 10 2020, @04:15AM

    by driverless (4770) on Monday August 10 2020, @04:15AM (#1034186)

    Which part of Windows is not exploitable?

    Windows Update controls and local-only (not linked to a Microsoft account) user accounts under Windows 10.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2