Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.
Microsoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with
SYSTEM privileges via the Print Spooler service. This ability is achieved through a capability called Point and Print. Starting with the update for MS16-087, Microsoft requires that printers installable via Point are either signed by a WHQL release signature, or are signed by a certificate that is explicitly trusted by the target system, such as an installed test signing certificate. The intention for this change is to avoid installation of malicious printer drivers, which can allow for Local Privilege Escalation (LPE) to
While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a
CopyFiles directive for arbitrary ICM files. These files, which may be copied over alongside the digital-signature-enforced printer driver files are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for LPE to
SYSTEM on a vulnerable system.
An exploit for this vulnerability is publicly available.
By connecting to a malicious printer, an attacker may be able to execute arbitrary code with
SYSTEM privileges on a vulnerable system.
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:
Block outbound SMB traffic at your network boundary
Public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. Note that Microsoft indicates that printers can be shared via the [MS-WPRN] Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic. Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.
Microsoft Windows has a Group Policy called "Package Point and Print - Approved servers", which is reflected in the
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers registry values. This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent installation of printers from arbitrary servers.
This vulnerability was publicly disclosed by Benjamin Delpy.
This document was written by Will Dormann.
|Date First Published:||2021-07-18|
|Date Last Updated:||2021-07-19 18:59 UTC|