New Windows Print Spooler Zero-Day Flaws Harken Back to Stuxnet:
Ten years after the game-changing Stuxnet attack was first discovered, a Windows printer program it exploited has been found to contain additional dangerous zero-day flaws that could allow an attacker to gain a foothold in the network as a privileged user.
The researchers who discovered the new flaws in Microsoft's ubiquitous Windows Print Spooler service say they wanted to see if there still was a way to game Print Spooler for a Stuxnet 2.0-style attack 10 years after the first known cyberweapon attack was unearthed. "We started digging in, looking at the original Stuxnet propagation, and then we found out there were problems. ... We decided to take the Spooler service to the next level, and eventually we found it was not fully patched," explains Tomer Bar, research team leader at Safe Breach, who along with his colleague Peleg Hadar found the flaws that they plan to detail today at Black Hat USA.
Bar and Hadar found three zero-day vulnerabilities in the 20-year-old Windows Print Spooler program, which serves as the interface between a printer and the Windows operating system, loading the print driver, setting up print jobs, and printing. The new, post-Stuxnet vulns include a memory corruption bug that could be used to wage a denial-of-service (DoS) attack and two local privilege escalation bugs. One of the local privilege escalation flaws was patched by Microsoft in May (CVE-2020-1048), but Bar and Hadar found another similar flaw that bypasses that patch. All three vulnerabilities affect all versions of the Windows operating system.
"They're using the same function [as Stuxnet did] but with a little twist," Bar says of the two local privilege-escalation zero-days.
While Stuxnet used a Print Spooler exploit to gain remote access, the local vulnerability found by Bar and Hadar could allow any user to gain the highest privileges on the machine — either as a malicious insider who has physical access to the machine or via an existing remote-access foothold previously obtained by an attacker.
Hadar says while Microsoft's patch for the Stuxnet vulnerability (MS10-061) fixed the remote-attack hole, it didn't address the local privilege-escalation holes. "That's what we focused on and were able to exploit," he says. They found the flaws using good old-fashioned reverse engineering and fuzzing techniques.
Exploiting the flaws is fairly simple, too, the researchers say. They were able to employ PowerShell commands to exploit the vulns.
(Score: 0, Funny) by Anonymous Coward on Sunday August 09 2020, @05:34PM (4 children)
There are some dubious sources that claim windows was developed to have all these vulnerabilities on purpose. Bill Gates' family is of course heavily involved in planned parenthood and other population control measures, spying on the digital activities of windows users would help with this agenda. The same sources even claim it may be possible that the agenda is being set by off world beings called Gnorts who the elite serve because they falsely believe they are communicating with Gods/demons.
Even the first man on the moon was named Gnorts, Mr. Alien.
(Score: -1, Troll) by Anonymous Coward on Sunday August 09 2020, @06:09PM (3 children)
Maybe someone needs a refresher on the name of the first man to walk on the moon?
(Score: -1, Troll) by Anonymous Coward on Sunday August 09 2020, @06:29PM (2 children)
You mean, "The first man that the United States claims to have walked on the moon." Mr. Gnorts was a German who was captured by and subsequently worked for the Soviet. The Soviets sent him to the moon on a vastly over-sized V2 rocket. Unfortunately, they didn't realize that Mr. Gnorts would require a space suit, so he only walked a couple steps before keeling over. His desicaed body still lies there, collecting micro-craters from micro-meteor impacts.
(Score: 1, Informative) by Anonymous Coward on Sunday August 09 2020, @07:20PM (1 child)
gnortsmrA lieN
(Score: 0) by Anonymous Coward on Sunday August 09 2020, @09:51PM
How did this one avoid troll?
(Score: 1, Insightful) by Anonymous Coward on Sunday August 09 2020, @05:48PM (1 child)
Is it a zero day if a security researcher discovers it before an attacker?
(Score: 0) by Anonymous Coward on Monday August 10 2020, @04:50PM
I too had this issue when reading.
(Score: 3, Interesting) by Runaway1956 on Sunday August 09 2020, @06:31PM (7 children)
is not exploitable?
(Score: 0) by Anonymous Coward on Sunday August 09 2020, @06:34PM (1 child)
TCP/IP
(Score: 3, Touché) by Unixnut on Sunday August 09 2020, @06:37PM
> TCP/IP
ahem: https://support.microsoft.com/en-us/help/967723/ms09-048-vulnerabilities-in-windows-tcp-ip-could-allow-remote-code-exe [microsoft.com]
(Score: 2) by sjames on Sunday August 09 2020, @07:19PM (3 children)
Minesweeper (so far).
(Score: 0) by Anonymous Coward on Sunday August 09 2020, @07:28PM (2 children)
Minesweeper cheats. The first box you choose is never a mine.
(Score: 0) by Anonymous Coward on Monday August 10 2020, @04:54PM (1 child)
I've always wondered how they did that, did they have several boards queued up and just cycle through them in that instant to find the first that isn't a mine? Or do they develop a map with one empty slot and just put that empty in wherever you click*.
For instance: a 10x10 map has 99 spaces defined, if you click on the 34th spot, 1-33 are placed as normal, but 34-99 are paced in 35-100? This seems the most likely solution now that I have thought more about it.
(Score: 0) by Anonymous Coward on Monday August 10 2020, @08:21PM
When I originally analyzed Minesweeper on Windows, my analysis showed that when it is drawing the board, it randomly selects a layout to use. Once you made a click, it would check if it was the first move, if not it would do the normal routine. If it was the first move, a special routine was activated and it checks if the tile is a mine or not. If it wasn't, it just marked that the first move had been made and proceeded to use the normal algorithm for revealing tiles. If it was a mine, it marked that the first move was made, then randomly selects one of the blank tiles, adds that tile to the mine set, added the clicked tile to the empty set, and then used the normal algorithm for revealing tiles.
Newer versions use a different algorithm that is closer to your original guess.
(Score: 2) by driverless on Monday August 10 2020, @04:15AM
Windows Update controls and local-only (not linked to a Microsoft account) user accounts under Windows 10.
(Score: 2) by jmichaelhudsondotnet on Monday August 10 2020, @06:45PM
Having spent countless hours watching the windows print spooler fuckup this is hardly a surprise.
But also I am quite certain they put these things in there to make sure their spy tech has plenty of options to comprimise your system and read your mind. Not like the nsa motherboard wifi chip and intel management engine and trusted platform module are not already making any windows system, and most others, hopelessly insecure in any real sense.
Fun fact: despite the utter incompetence of this and that it puts millions of people at risk for malicious actors to attack them, and will continue to do so probably for decades for unpatched systems, the company will face no downside whatsoever.
Using windows is just a way of saying you dont know how to think.
Maybe also that you are one of those people who enjoys being spanked. Not that there is anything wrong with that in some contexts, but in personal computing it seems like you are just allowed to think at all because you do not know how.