Vulnerability Exploitable Via Printer Protocols Affects All Windows Versions

An anonymous reader writes from a report via Softpedia: "Microsoft patched today a critical security vulnerability in the Print Spooler service that allows attackers to take over devices," reports Softpedia. "The vulnerability affects all Windows versions ever released. [Security firm Vectra discovered the vulnerability (CVE-2016-3238), which Microsoft fixed in MS16-087.] At its core, the issue resides in how Windows handles printer driver installations and how end users connect to printers. By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges." An attacker can hack printers and replace these files with his own. The vulnerability is exploitable from both the local network, but also from the internet, thanks to protocols like Internet Printing Protocol or the webPointNPrint. The exploit can be delivered via ads or JavaScript code inside a compromised website. The vulnerability is actually an OS design issue and affects all Windows versions ever released. Microsoft also announced today plans to make its recently renamed Windows 10 Enterprise product available as a subscription for $7 per user per month, or $84 per year.

So completely ass backwards

[fustakrakich]

Drivers belong on the printer, not the damn computer. Who dreamed up this shit?

Re: So completely ass backwards

[Billly+Gates]

Those like my employer where my present location has 1100 seats. I can't go around installing printer drivers all day or close the company down because we had to move a copier and the installed print driver only works for a specific port.

Reinstalling the driver 1100 times is not an option!

Re:So completely ass backwards

[BaronM]

Well, the computer at least needs to have a good idea of the printer capabilities. I suppose we could put that in a plain-text file, and call it 'printcap' or something. Of course, we'll also need to know how to trigger those capabilities. Maybe some sort of in-band signaling with special characters, like escape codes.

That's all good, but what if we want more advanced features like graphics. We could generate bitmaps, but that would be terribly device-specific and bandwidth-hungry. How about we use an encoding that can encapsulate the way we intend the page to look? We could call it a 'page description language'. Yeah, that'd be cool.

Well, now that we've got that, we do need some software to take the output from a program and encode it in out page description language. Otherwise, each and every program would need to know each and every common PDL. That's dumb -- we should use a standard intermediate representation that each program can speak to the OS, and let the OS transform that into the PDL of the printer it's talking to!

OK, now we've got it: a common, logical way for programs to describe their output to the OS, the OS providing a translation service to send that representation to the printer, and page description languages that let us produce sophisticated output without having to generate and transmit bitmaps and escape codes for every little thing.

That would be much better that this 'printer driver' crap, right ;)

Re: So completely ass backwards

[munwin99]

Those like my employer where my present location has 1100 seats. I can't go around installing printer drivers all day or close the company down because we had to move a copier and the installed print driver only works for a specific port.

Reinstalling the driver 1100 times is not an option!

Who has 1100 seats and DOESN'T have some form of automated deployment tool? That sounds like job #1 to me...

Re: So completely ass backwards

What do you think this exploit is exploiting? Winder's machination for disseminating printer drivers to connecting clients.

Re: So completely ass backwards

"Otherwise, each and every program would need to know each and every common PDL."

Been there, done that. 1986 called. They want their printer configurations back.

Re: So completely ass backwards

Whoosh...

Re: So completely ass backwards

What kind of retard wants to print something anyway? The 1500s called.

Re:So completely ass backwards

[NotInHere]

I am also wondering about why you actually need to run printer driver code with system privileges. Isn't that a wrong approach? Yes, I agree printer drivers might not be required at all, but why do network printer drivers need full system privileges?

Its not that they are trying to speak over some hardware bus or something, all they need to have is an interface to the OS where the documents come in, and a network fd or something. They don't even need access to the file system, do they. Maybe for some settings and a cache and stuff. But really, they can be totally sandboxed. But well its windows...

Re:So completely ass backwards

a PPD file should be all you need. don't even bother with anything else that requires more or requires proprietary drivers, especially when printing from systems other than windows.

Re:So completely ass backwards

[dbIII]

Back in the day on platforms like the Atari ST that was the case, but it sucked since you had to wait until the printing was done before you could do anything else. Some enterprising people wrote "print spooler" programs that could be resident in the background and handle communication with the printer while the user could do other stuff, even on platforms where the OS did no enable multitasking. Later platforms had that come with the software distribution or with the printer drivers.

The ones on the MS platform are very limited so a lot of printer vendors have extra software that interfaces directly with the spooler API or even replaces it entirely (needed for things like plotters with rolls of paper and other edge cases not covered by the very limited MS print spooler software). Since it is written to allow third party stuff to get it's hooks into it and was written at a time when MS infamously didn't give a shit about security problems the obvious has happened and it has been exploited. Maybe it's a sign that other stuff has been cleaned up and the malware malcontents are going after such legacy soft spots.

Re:So completely ass backwards

[dbIII]

It's the spooler.
It's old and meant to have third party stuff hook into it.

Re: So completely ass backwards

So everyone should run with admin privileges to make IT dept.work easier?

Re:So completely ass backwards

Drivers belong on the printer, not the damn computer. Who dreamed up this shit?

Someone who thought WYSIWYG would be a good idea.

Re:So completely ass backwards

a PPD file should be all you need. don't even bother with anything else that requires more or requires proprietary drivers, especially when printing from systems other than windows.

And the PPD interpreter would know about how to handle every possible printer's fonts, graphics capabilities, tray and paper types, hole punch, stapling, method of two-sided printing, etc, barcode types, from now and for all the future printers as well?

Re: So completely ass backwards

[xSauronx]

a disturbingly high number of people. last job i had i was a SysAdmin for a manufacturer. everyone salaried had been there 20 - 40 years. they all had dual screen computers or laptops...and printed like there was no tomorrow to take reports around for review. i couldnt get them to stop.

im at a hospital now. less printing in general for some people, but its *required* that patients get some things in print. itll change one day, but not for a while.

Re:So completely ass backwards

It's weird - i've always disabled spooler on computers I didn't need to print on, and as I was doing it thought "this is just OCD and insane probably" - but I hate attack vectors and resource usage.

Tin foil is right again!

Re: So completely ass backwards

If they don't give me admin, offline registry hacking gives me admin. It's easy to replace the hash for the local admin password, log on and give myself admin rights, and then restore the original admin password hash. No one's the wiser. They try to use AD to block these shenanigans, but that's also easy to work around.

Re: So completely ass backwards

[The-Ixian]

Seems like the simple solution to your "hack" is to lock the BIOS (so you cannot change boot order) and use full disk encryption.

Re:So completely ass backwards

[wbo]

Most print drivers do not run with Local System privileges by default on Windows but the driver installers do. This vulnerability involves replacing the real driver installer with a malicious one and exploiting systems that way.

Windows supports signature verification for print drivers - it is just disabled by default even though most current print drivers are signed. You can also configure Windows to only install print drivers served from specific print servers. Enabling either option would be pretty effective at making this vulnerability very hard if not impossible to exploit.

Re:So completely ass backwards

You don't. It's a legacy holdover.

If you've ever worked with printers, or administering printers on a network, you'd know that the term "legacy holdover" pretty much defines the printing experience.

Microsoft, for quite a while, has been trying to rectify the situation because they're quite aware of how bad it is for a print driver to pwn your system. They regularly make improvements to the print system and have driver models that run completely in user mode.

https://msdn.microsoft.com/en-us/library/windows/hardware/hh706306(v=vs.85).aspx

Trouble is, there are a lot of legacy printers with old legacy drivers. And device makers that make shitty, shitty, shitty drivers that use the old driver models. (Really printer makers are fucking terrible in this regard. You'd never believe some of the buggy shit you'll see even in 2016) So those old subsystems, with kernel mode drivers and all, still exist. In fact by default you have to flip a bunch of group policies to push unsafe drivers without admin privs. (Microsoft has been worried about MTIM attacks with print drivers for a while)

Re: So completely ass backwards

You might enjoy part one and part two (part three forthcoming) in an informative and entertaining series regarding Windows FDE (Bitlocker+TPM) bypass techniques. Other methods also exist which aren't floating around in openly accessible publications. Cheers. -PCP

Explotable from the internet?

[mark-t]

Even through a NAT?

Re:Explotable from the internet?

[whoever57]

Even through a NAT?

I think, yes, but very unlikely. If the user tries to print using a printer that is outside the NAT, then that printer could compromise the Windows installation.

Re:Explotable from the internet?

[mark-t]

What if both the windows computer and the printer are behind the NAT?

Re:Explotable from the internet?

[whoever57]

What if both the windows computer and the printer are behind the NAT?

If the printer is already compromised, yes. Note that "printer" in this scenario is more likely a print server, which could be running Windows, or perhaps a Linux/SAMBA box.

There might also be more scope for this with "cloud" print services, but I really don't know.

Re:Explotable from the internet?

[dbIII]

Look up the NAT traversal exploits. NAT is not security but people get confused since it's often handed out by the same device that does firewalling.

Re:Explotable from the internet?

[Sique]

NAT requires packet inspection. Thus every NATting device is a packet inspection engine, and having some configurable rules which packets to translate and which packets to discard gives you a stateful firewall. That's the main reason why NATting is done on the same device that does firewalling.

Re:Explotable from the internet?

[dbIII]

True but I'm addressing the common and dangerous "NAT is security via obscurity therefor IPv6 should be avoided even though it can do NAT if you really want" myth. The bad guys can get through NAT easier than we would hope.

Re:Explotable from the internet?

[myowntrueself]

True but I'm addressing the common and dangerous "NAT is security via obscurity therefor IPv6 should be avoided even though it can do NAT if you really want" myth. The bad guys can get through NAT easier than we would hope.

I know so many people who are otherwise quite technically competent who are terrified of IPv6 for this very reason and refuse to look into it, refuse to learn about it, refuse to check it out.

Re: Explotable from the internet?

Umm Nat doesn't require packet inspection, it requires header inspection for port and ip, it doesn't care about the packet contents. It just needs to be able to tie up a port and ip to an internal port and ip. As has already been mentioned, a device that solely NATS only offers security through obscurity and nothing else. This can be done on either a firewall or router, however if you want packet inspection and such, that's a firewall job

gotta love automatic installers

gotta love automatic installers, it makes things so easy

Samba?

[Ungrounded+Lightning]

I'm not a Windows user or admin, but I'm curious:

Does Samba support the corresponding protocols and emulate this behavior (and is it compatible enough with Microsoft's code to support the exploit)?

Re:Samba?

Yes, if you share a printer using Samba you can optionally create the print$ share that windows will use when trying to download the drivers.
As documented at https://www.suse.com/communiti... (and many other places)

Re:Samba?

I'm not a Windows user or admin, but I'm curious

I've certainly heard that before. I'm curious too, so I use windows to look outside, but only in moderation. I'm not exactly a user.

XP

yea I though so...

Re:XP

Easy solution for XP like mine.
Found the external call for drivers, so just replaced the function call with 0x90 (nop opcode) to disable the vulnerability.
Easy patch which doesn't require downloading a bloated patch from M$.

What could possibly go wrong...

[mspohr]

Great idea to allow an external device to automatically install software on your computer.
What are these people thinking?... or not...

Re:What could possibly go wrong...

[redback]

it has to be triggered from the target machine and requires admin rights, unless you go out of your way to set it up to not need admin rights.

Re:What could possibly go wrong...

*shrug* Having your login script determine the printers you will need to be able to access based on what IP address block you are currently in and automatically installing the correct drivers is actually a pretty good idea. Having any of the print servers accessible from the internet, however, sounds pretty brain dead to me.

To all those who disable Windows update

[Billly+Gates]

Ha!

Told ya so. Let's see how secure your system stays

Re:To all those who disable Windows update

I don't need Windows Update turned on to download this.

javascript - surprise surprise.

The exploit can be delivered via ads or JavaScript code inside a compromised website.

So yet again, time after time after goddamn time, javascript is the attack vector.

Look, we've seen thousands of stories over the past years of javascript allowing various exploits. It's time for people to realize that allowing random ads and web sites to run any form of explicit code on your computer is a bad idea. With descriptive languages like HTML, at least there is a shot at a proper sandbox and they lack the ability to do arbitrary things like this.

If you are still running javascript by default in 2016, you pretty much deserve what you get. It's not like javascript based exploits are rare.

Very, VERY few sites have any legitimate reason to execute code in your browser. On top of that, the web sucks a whole lot less if you turn that shit off and only allow it when there is an actual reason for it. You avoid a bunch of tracking and annoyance-ware such as sites disabling cut and paste.

*ALL* windows versions?

[wierd_w]

hell, before 3.11, windows was not even network aware!

That's a pretty impressive exploit! /s

(idiot journalists...)

Re:*ALL* windows versions?

Windows 3.11 has been discontinued for decades. By "all versions" a company/journalist only refers to actively supported products. (TYL = Today You Learned)

Re:*ALL* windows versions?

[Etcetera]

Windows 3.11 has been discontinued for decades. By "all versions" a company/journalist only refers to actively supported products. (TYL = Today You Learned)

Well, the bigger question is what's going on with XP (and what affects XP probably affects Win2K). I can't really tell if this is dependent on the NT model or if it's truly a higher level Windows design flaw, which probably would then go back to Win 95.

"Printer configuration for Windows 95 and System 7.5.3" are things I've probably intentionally blocked out from my memory.

Re:*ALL* windows versions?

[wierd_w]

That is NOT what they wrote. They explicitly stated "ever released". 3.11 was not only released publicly, it was a flagship product in its day-- it was WIDELY released.

the only thing i learned from you today is that you are an apologist for language arts professionals that fail at language arts, AC. Or perhaps that you dont understand that a journalist has a responsibility to use precise language, and research thier story to present a factual accounting of the story. Perhaps both.

In either case, the main thrust is that you are a disreputable idiot.

Dumbass.

Re:*ALL* windows versions?

I think Windows Server 2000 would be the earliest exploitable version. I don't recall NT 4 having the "driver download" feature.

Re:*ALL* windows versions?

Do you know if Windows 3.11 is not affected? Are you running the assumption that since 3.11 did not come out of the box with networking that it isn't affected by this PRINT SPOOLER vulnerability? According to wikipedia, various DOS versions supported a print spooler so it is possible that this issue affects all operating systems ever released by Microsoft...
I do know for a fact that Windows 3.1+ supported TCP/IP networking (and TPX + Netware Networking) if you installed the appropriate software as my first WWW experience was using Netscape on Windows 3.1 (way back when Yahoo actually had a human curated list of pretty much every single website online). I had also played Doom multiplayer over IPX networking on 3.1.

Easier exploit!

[Ungrounded+Lightning]

Yes, if you share a printer using Samba you can optionally create the print$ share that windows will use when trying to download the drivers.

Interesting.

So bad guys don't even have to hack a printer to exploit this bug. They can just host a Samba print server (maybe even without a printer attached) with the nasty driver in its database. Anyone who tries to print on that "printer" from a Windows machine gets pwned.

Ought to fit in a BeagleBone, Raspberry, Shiva Plug, etc., or something even smaller, just fine. Plug it into an Ethernet LAN, or just plug in a USB WiFi dongle and it can advertise on the air like any other WiFi-connectable printer.

Add a battery, good for a few days, and they have a pocket-sized exploiter that they can carry or drop within radio range of an office, or bury in the packing material of something they mail to the victim.

If it can detect a local printer and masquerade as it, forwarding the print jobs to it, there might be no obvious sign that anything unusual was happening.

Re:Easier exploit!

all packets from un-authorized MACs will be dropped on sight by the first switch you hit. VLANs and ACLs are a thing.

Re:Easier exploit!

[Joe_Dragon]

get an 2 port one and clone the mac of the printer stick an HP logo on it and it looks like it's part of the printer.

Re:Easier exploit!

[radarskiy]

...assuming the client machines allowed random user to add random printers with unsigned drivers. Since Windows 7, the default is not to allow this so someone would have deliberately enable it.

Re:Easier exploit!

[myowntrueself]

Yes, if you share a printer using Samba you can optionally create the print$ share that windows will use when trying to download the drivers.

Interesting.

So bad guys don't even have to hack a printer to exploit this bug. They can just host a Samba print server (maybe even without a printer attached) with the nasty driver in its database. Anyone who tries to print on that "printer" from a Windows machine gets pwned.

Ought to fit in a BeagleBone, Raspberry, Shiva Plug, etc., or something even smaller, just fine. Plug it into an Ethernet LAN, or just plug in a USB WiFi dongle and it can advertise on the air like any other WiFi-connectable printer.

Add a battery, good for a few days, and they have a pocket-sized exploiter that they can carry or drop within radio range of an office, or bury in the packing material of something they mail to the victim.

If it can detect a local printer and masquerade as it, forwarding the print jobs to it, there might be no obvious sign that anything unusual was happening.

And call the fake printer something like "Expensive color printer, only use for serious stuff"

For a few bucks..

We will get you fixed right up..

Re:LIES. BULLSHIT. NOPE.

Please mod this -1 so everybody will pay closer attention to it. Thanks, mgmt.

Too bad Windows Update isn't working

[drinkypoo]

Downloading 12 updates (0 KB total, 0% complete)

For a fucking hour now.

aptitude -y update works every goddamned time.

What the actual fuck, Mickeysoft?

Re:Too bad Windows Update isn't working

If Win7, install the June 2016 rollup. It's still optional. Fixes slow Windows Update.

Re:Too bad Windows Update isn't working

[drinkypoo]

If Win7, install the June 2016 rollup. It's still optional. Fixes slow Windows Update.

I'm trying!

Re:Too bad Windows Update isn't working

If Win7, install the June 2016 rollup. It's still optional. Fixes slow Windows Update.

Also bakes in the Win10-style telemetry from the updates they've been rolling out for 7/8.1 in addition to the GWX nagware/malware. If you install the updates separately, you can track down the KB numbers from just about anywhere on the internet and uncheck/remove them. Install that Win 7 rollup, and you might as well just go all the way to Windows 10, as far as privacy is concerned.

Re:Too bad Windows Update isn't working

[drinkypoo]

If you install the updates separately, you can track down the KB numbers from just about anywhere on the internet and uncheck/remove them.

Oh, balls. I can't remove the specific KB numbers for telemetry if I install the rollup? So now I have to uninstall the rollup, and go do the process manually? What a PITA.

Re:Too bad Windows Update isn't working

On hour nine of "Checking for updates" here. 50% cpu use for nine hours to check for updates? What a load of crap. I think windows has had its last gasp.

I guess I can try AutoPatcher and see if I can get this one update there. I used to use AutoPatcher only on unlicensed copies of windows. Now it looks like I have to use it for legit copies too.

MS, you suck. Bad.

Re:Too bad Windows Update isn't working

[drinkypoo]

Oh, balls. I can't remove the specific KB numbers for telemetry if I install the rollup? So now I have to uninstall the rollup, and go do the process manually? What a PITA.

Actually, it doesn't look like the rollup actually installed? I tried to wusa /uninstall it and it said that KB wasn't even installed. So I'm going through the telemetry removal process again just to make sure, but it looks like I can still uninstall the specific KB numbers, since there's no rollup KB to remove. I restarted in safe mode on the first reboot, maybe that made the update fail.

Re:Too bad Windows Update isn't working

[ShaunC]

KB3168965 is this month's fix for the ever-slowing Win7 update process. Download whichever one applies to you, then reboot and immediately run the installer, before Windows Update has time to fire itself up and hog half your CPU for the next few hours. After rebooting again, Windows Update should do its thing more quickly until they break it again next month.

https://download.microsoft.com...

https://download.microsoft.com...

I am the Viper. I've come to vipe you vindows.

I am the Viper. I've come to vipe you vindows. Five-seventy five an hour. I start on West corner, top floor first.

Re:LIES. BULLSHIT. NOPE.

Everyone already knows this. You are acting like you have some new privileged inside information? You have nothing new or original to contribute.

let me guess what the fix for this will be

upgrade to Windows 10( also known as Windex and will wipe your data off your system and onto theirs ).

what about remote people on the go who need to pri

[Joe_Dragon]

what about remote people on the go who need to print be it at client site / a hotel / etc.

"Network Admins"

[jon3k]

Sure.

Best GIJOE episode ever...

[tekrat]

Mod up.

sandbox

[Ungrounded+Lightning]

Trouble is, there are a lot of legacy printers with old legacy drivers.

The term "sandbox" comes to mind...

"There's an app for that!"

[Ungrounded+Lightning]

Ought to fit in a BeagleBone, Raspberry, Shiva Plug, etc., or something even smaller, just fine. ... plug in a USB WiFi dongle and it can advertise on the air like any other WiFi-connectable printer.

I wonder if there's an app for that?

Yet. (If there wasn't, I posted the above over 16 hours ago and it's REALLY simple to do.)

With such an app, any smartphone (of the matching O.S.) becomes a walk-around exploit delivery system.