Vulnerability Exploitable via Printer Protocols Affects All Windows Versions

Share this…

Introducing vulnerability of the year: CVE-2016-3238. Microsoft patched today a critical security vulnerability in the Print Spooler service that allows attackers to take over devices via a simple mechanism. The vulnerability affects all Windows versions ever released.

Security firm Vectra discovered the vulnerability (CVE-2016-3238), which Microsoft fixed in MS16-087. At its core, the issue resides in how Windows handles printer driver installations and how end users connect to printers.

Exploit executes payload under SYSTEM user

By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges.

Vectra researchers discovered that an attacker can replace these drivers on the printer with malicious files that allow him to execute any code he’d like on the infected machine.

The attack can be launched from the local network or via the Internet, thanks to the Internet Printing Protocol or the webPointNPrint protocol. This type of attack can be delivered via innocuous methods such as ads (malvertising) or JavaScript code hidden in compromised websites.

Attacks can take place in several ways

There are numerous ways in which these attacks can take place, making CVE-2016-3238 a very dangerous issue for corporate environments.

A threat actor could hack a company’s Internet-connected printers. This can be done using common user-password combinations, or by using vulnerabilities to hack inside the printer by force, and later replace these printing drivers with malicious content. Hacking printers is exceptionally easy these days, as the Weev incident has recently shown us.

If the printer is behind a firewall, an attacker can hack another device or computer on that network, and use it to pivot to the printer and host his malicious files.

If the printer can’t be hacked, or doesn’t have any type of vulnerabilities, the attacker can just spoof the printer via special software. Computers on the attacked network would connect to the fake printer and download the attacker’s malicious code.

Watering hole attacks via printers

Because printers are just like servers, with multiple computers connecting to them to download drivers and print documents, a hacker is technically executing watering hole attacks using printers. Watering hole attacks, or drive-by downloads, are the methods through which exploit kits function.

By this point in time, CVE-2016-3238 is by far the vulnerability of the year, being easy to execute, providing different methods of launching attacks, and affecting a humongous number of users.

Vectra’s researchers have prepared a technical breakdown of the vulnerability on their blog, but they have also made available the following video presentation. Microsoft says it fixed the vulnerability “by issuing a warning to users who attempt to install untrusted printer drivers.”