Critical Print Spooler Bug allows Attackers to Hack any version of Microsoft Windows

[+Warwagon MVC]

Quote

 

Microsoft's July Patch Tuesday offers 11 security bulletins with six rated critical resolving almost 50 security holes in its software.

The company has patched a security flaw in the Windows Print Spooler service that affects all supported versions of Windows ever released, which if exploited could allow an attacker to take over a device via a simple mechanism.

The "critical" flaw (CVE-2016-3238) actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers.

The flaw could allow an attacker to install malware remotely on victim machine that can be used to view, modify or delete data, or create new accounts with full user rights; Microsoft said in MS16-087 bulletin posted Tuesday.

Users who are logged in with fewer user rights on the system are less impacted than users who operate with administrative user rights, such as some home accounts and server users.

Microsoft said the critical flaw could be exploited to allow remote code execution if an attacker can conduct a man-in-the-middle (MiTM) attack on a system or print server or set up a rogue print server on a target network.

 

 

http://thehackernews.com/2016/07/printer-security-update.html

 

The Coverage of it on Security Security Now

 

Okay, now. Oh, boy. Twenty-year-old designed-in Windows behavior lets printers, or anything pretending to be a printer, install malware.

Leo: Well, why not?

 

Steve: All the way back, starting with Windows 95.

Leo: Oh, lord. Which, by the way, underscores your contention that many of the pieces in this brand new modern Windows 10 are kind of old.

Steve: Yeah.

 

Leo: What subsystem is this?

 

Steve: Get this. Okay. So, well, and so we have a problem, Houston, that Microsoft made a change on Tuesday which allowed these guys, Vectra Networks, to go public with what they found. So they wrote in their own blog: "Security researchers with Vectra Threat Labs" - and it's VectraNetworks.com - "uncovered a critical vulnerability" - and, yeah, and it's got a CVE number, but unfortunately it's not something, well, as we'll see, that can really be fixed - "which affects all versions of Microsoft Windows all the way back to Windows 95. The vulnerability is created by the way Windows clients interact with network printers, allowing an attacker to execute code at the system level" - so full system privileges - "either over a local network or" - are you sitting down? - "over the Internet."

 

Leo: No.

 

Steve: Oh. Twenty years ago, they write - oh, no, I guess this is me. I'm sorry. Twenty years ago Microsoft implemented a very dangerous feature known as Microsoft Web Point-and-Print Protocol which allows - and think about this. I mean, we've seen this in action.

Leo: Oh, yes.

 

Steve: Which allows a Windows machine connecting to a network-hosted printer for the first time to receive and install a printer driver delivered from the printer. What could possibly go wrong? And I have to say I was reminded of the very similar Windows Metafile design mistake Microsoft made during the same time period.

Leo: Right, right.

 

Steve: Which was one of our very first podcasts. When I looked at the Metafile code, it was immediately clear to me that this was not a mistake. This was on purpose. Now, it was misinterpreted. Even my analysis was misunderstood because I never said this was malicious. People just didn't understand that, when this was done, it didn't seem like a bad idea because nobody - it was like "The Wrath of Khan," where he didn't raise his shields, and he's approaching Kirk on the Enterprise, and Kirk is saying, well, this is mighty odd, and Khan says, "We're all one big happy Federation," you know, "no need to raise shields." Similarly...

 

Leo: It was a perfect time, Steve. Kids played outside.

Steve: Precisely.

 

Leo: You didn't lock the doors.

Steve: Dogs did their business, and everyone just walked off.

Leo: We didn't have cell phones.

Steve: You avoided the landmines, yeah.

Leo: No answering machines.

 

Steve: Right. So back when the Metafile format was created, someone said, hey, how cool would it be if a token accepted a pointer that jumped to code in the Metafile? Well, fast-forward 15 years. Oh, my god, you know. And so people thought I was crazy for thinking that Microsoft would have ever done this, except I will note that Mark Russinovich agreed with me, and we would respect his opinion, as well. So this is similar. This is back with Windows 95, when IPX and SPX and Novell NetWare - and Bill was still kind of thinking, you know, we've got to buy a bunch of modems at Microsoft so people can call into the Microsoft Network, and we can compete with that AOL thing and CompuServe and so forth.

 

And so back then, what a convenience. You could bring in a laptop, plug it into the network. Now, the network might have a shared printer. Well, it's going to need a driver. But who knows what driver? How convenient for the printer to provide it to the computer. So it's called Plug-and-Print. And of course we remember Plug and Play, or Plug and Pray, from the day. Oh, I'm sorry, it's Point-and-Print. And so what Microsoft did was design a protocol with no user interaction because that would confuse people. You just want it to work. So even in today's OS under 7 or 8 or 10, it bypasses UAC, no notification at all. It installs a kernel driver, which is, like, god power, in the kernel of the OS from anything that your computer finds that looks like a network printer. And it isn't even restrained to the LAN.

 

So taking it kind of calmly, more so than I am, Vectra said: "Most organizations try to apply the principle of least privilege to the devices in their networks. This works pretty well for things like laptops or desktops since the hardware they use doesn't change very often. However, printers are a bit different. While they still need drivers, printers need to support virtually any user that wants to connect to them. As end-users move through a building, they naturally want to use the printer closest to them." Because, you know, it spits out that paper that they have to then go get. So they don't want the printer on the 12th floor to be printing it when they're on the third floor.

 

"Mobile users expect to be able to easily connect and use a printer when they come into the office. In addition, most organizations don't standardize on a single printer, and will have multiple models and manufacturers often within a single network. So instead of having system administrators push all possible printer drivers to all workstations in the network, the solution was to develop a way to deliver the driver to a user's device right before the printer is used. And this is where Point-and-Print showed up." A happy name.

 

"This approach stores a shared driver on the printer or print server, and only the users of that printer receive the driver that they need. At first glance, this is a practical and simple solution to driver deployment. The user gets access to the printer driver they need without requiring an administrator - a win-win. The issue? The problem is that, for this scheme to work nicely from an end-user perspective, an exception was required. Normally, User Account Controls are in place to warn or prevent a user from installing a new driver. To make printing easier, an exception was created to avoid" that pesky - I'm adding that, editorializing - UAC control. "So in the end," they write, "we have a mechanism that allows downloading executables from a shared drive and run them as system privilege on a workstation without generating any warning on the user side. From an attacker perspective..."

 

Leo: It's amazing.

 

Steve: "...this is almost too good to be true, and of course..."

Leo: Vectra calls it a watering hole attack.

Steve: Well, yeah, exactly.

Leo: Which I love. I mean, I don't love the attack, but the idea is you just - all you have to do is infect the printer.

Steve: Right. And not only will your system get infected, but reinfected.

Leo: Yeah, yeah.

Steve: Every time it tries to print to it.

Leo: Put it on the printer.

 

Steve: So they said: "This is almost too good to be true, and of course we had to give it a try. Researchers at the security firm Vectra Networks" - they're speaking in the third person - "discovered that the Windows Print Spooler doesn't authenticate print drivers when installing them from remote locations." Because we're all one big happy world. "That lack of authentication makes it possible for attackers to use several different techniques" - I mean, again, this is such a gaping hole, you don't have to - it's not like worming your way through some complex incantation of four different exploits that have to interact perfectly, and only when the ASLR happens to land in the right place. No. This is by design from Windows 95 and has never gone away.

 

They said: "The lack of authentication makes it possible for attackers to use several different techniques that deliver maliciously modified drivers instead of the legitimate one provided by the printer maker. The exploit effectively turns printers, printer servers, or potentially any network-connected device masquerading as a printer" - and remember, that's just a protocol thing. So, yes, a light bulb from China could pretend to be a printer. And it's like, oh, I didn't know there was a printer there. Let's send some documents to it. And it takes over your machine.

Leo: Unbelievable.

 

Steve: "Into," they write, "into an internal drive-by exploit kit that infects machines whenever they connect."

Leo: I just want to say, when you come to this studio, if you ever want to use our printer, please, be my guest. Just go right ahead.

Steve: You'll walk away with a free gift.

Leo: A free gift.

Steve: And then I wrote...

Leo: That's been in there for 20 years.

Steve: Yes. But wait, there's more.

Leo: Oh, no. More?

 

Steve: Vectra Networks wrote - and I'm paraphrasing from what they said for a bit more emphasis. Under "Infecting Remotely Using Internal Printing Protocol and webPointNPrint," they write: "So far we have constrained ourselves to an internal network where a device was either inserted or infected and used to further infect devices connected to it." I mean, so understand, they've done this. And their blog posting has, chapter and verse, the whole - it's all laid out. "Internet Printing Protocol (IPP) and webPointNprint allow us to extend this issue outside the Intranet to the Internet. IPP [Internet Printing Protocol] allows for the same mechanism to load drivers from remote, in this case very remote, printers. This can be done with the following piece of code from the MS print server." And then their blog shows it.

 

Now, this was "fixed," in quotes, last Tuesday. What did Microsoft change? Well, they're unable to change this behavior without crucially and critically breaking 20 years' of roaming laptop and mobile computing transparent printer driver installation. So they added a dialogue. And we've seen how well those work with, for example, not upgrading to Windows 10. So the good news is security-conscious people can disable Point-and-Print. As I dug into this, I didn't have a chance to go any further. I will probably see what it takes to do that and provide some guidance for next week because I imagine our listeners will be very interested in perhaps not having this happen to their users. You can push it through group policy, so a corporation could do this. And so essentially the only thing Microsoft could do is make it less transparent. They could not break it because too much of the existing infrastructure depends on this behavior.

 

But this is, again, this is a classic example of something that back in 1995, with Windows 95, seemed like a good thing. And then, now, someone did deliberately extend it to the Internet Printing Protocol. It might have been wise to say, you know, let's not let remote printers on the Internet install kernel drivers without any user interaction. Someone should have said no to that because that was in more recent times. But it's probably still, who knows, maybe 15 years ago. So, unbelievable. Yes?

 

Leo: Well, the good news is printers always auto update. So you don't have to ever - never mind. We continue on with the security news of the day.

[+Biscuits Brown MVC]

I listened to that podcast and Im not sure about this. I know in my environment,  a non-admin user (in Windows 7) cannot install (manual or otherwise) a printer - of any kind. I've tried. I've brought a new machine online (long before that patch) without admin creds and attempted to map/install a network printer and was quickly prompted by UAC for admin credentials. Now, in a home environment, sure, this could be an issue. Since I gave up supporting friends and family a few years back (just too many people in that group that claim to know everything then complain when they get junk ware every few months) so this is a non-issue for me. I suppose for you warwagon, this just means more business!