Don't Forget About Spooling!
Spooling, the mechanism used by input and output devices to temporarily hold data before its execution, is a normal function of your operating system. It helps the CPU stay in the execution phase for longer periods because all the instructions line up in a volatile memory before the main memory fetches them for execution.
One of its most significant uses is in printing, but that is also its most vulnerable side. Print spoolers are used to temporarily store multiple print commands until the printer is ready for them. The service is most common in multi-function printers and larger networks of printers. However, it also has significant potential to be the means for a breach in a network’s security.
So how do print spools serve as a gateway for hackers to breach your cybersecurity? And how do you fix these vulnerabilities? Here is what you need to know.
Why These Vulnerabilities Arise
Print spoolers are designed to allow non-administrative users to be able to install printer drivers. The attackers use the same technique for remote code execution on computers with printer sharing enabled.
According to Microsoft, it can also happen when arbitrary writing is allowed by the Windows Print Spooler. With this, the attacker can easily hack your system. They will be able to view, edit or delete your data, install programs, and much more.
The Threats To Your Cyber Security
The attacker can partake in various malicious actions against your system, such as:
- Installing a malicious printer driver
- Using the spooler to drop files remotely
- Using the spooler files to gain code execution
- Commanding the spooler to print at a privileged location, etc
Types of Vulnerabilities
The vulnerabilities are usually flaws or bugs in the spooler service that the attacker takes advantage of to hack the system. Here are the three most significant attacks that can occur:
The PrintDemon (CVE-2020-1048) - The PrintDemon is a bug in the Windows Print Spooler that allows attackers to install a backdoor if they have access to the execution of low-privilege codes. This backdoor is quite persistent and stays even after the vulnerability has been fixed.
However, this vulnerability requires the attacker to be logged into the system beforehand and cannot be initiated remotely.
DoS Vulnerability in Print Spoolers - Caused due to the SHD files within the spool ones, this vulnerability still isn’t fixed since it doesn’t meet the security standards, although it can lead to a DoS attack. Such an attack is simple to issue but can cause serious damage, such as memory corruption or system crashes.
For such attacks, the attacker creates a malicious file, which, when processed by the Print Spooler, causes the system to crash. It can be done by even the least privileged user and can render the service useless for all users. Furthermore, it also deletes all the print jobs that had queued up to this point, crashing again if restarted.
Interception of Information - The attacker can also use the spooler to sabotage the communication between the users, networks, and processes. They use the ReadPrinter and the WritePrinter to read and edit the content, and the most dangerous part is that this type of sabotage isn’t even noticeable. It seems to be coming from SYSTEM inside Spoolsv.exe and does not appear to be impersonated.
Methods For Upgrading Your Security Against Such Attacks
With the risk of potential attacks, it’s best to take precautionary measures beforehand. Here are three methods you can apply to prevent such attacks:
Hardening the Print Spooler - Most vulnerabilities are patched up once detected, but that does not always provide the desired security. This is where hardening comes into play.
The print spooler settings need to be adjusted to harden the unnecessary servers. If the operating system’s settings were not previously adjusted, the print spooler would be on the Automatic settings. This mode is easily accessible to the attacker and is vulnerable to privilege escalation if left unpatched. Even if it has been patched, the possibility of a DoS attack remains.
In order to secure the network through hardening, this setting is disabled for all machines except those for which the service is necessary, such as the print servers. But even for these machines, the mode is set to “Not Defined.”
However, this method is time-taking and risky for more complex networks since it needs to be made sure that only the unrelated servers are hardened because the flow of the network could be damaged otherwise.
Another drawback to such a restriction is that you lose the ability to perform print pruning. To resolve this issue, you might have to prune manually or via an automation script.
Identifying Malicious Files - Malicious files are often embedded in a sea of regular files and are disguised to avoid detection. There are, however, a few characteristics that make them stand out. Here is how to look for them.
Scan for any file-based ports. This can be done through the PowerShell command “Get-PrinterPort.” It will get you information on all the printer ports installed on the specified computer. You can also go to a certain register key to see what is listed there.
You will be looking for any printer files with certain path file names in them, especially if they have extensions such as .dll or .exe. If you have such a printer listed, look into its function and replace it if possible because it would be an easy target for the attacker.
Creating Group Policies - Another way of increasing your security against such attacks is to establish a Group Policy that prevents the non-privileged users from accessing the Windows Print Spooler and only allows them the print function.
Conclusion
Although spooling makes tasks easier to store and faster to execute, its software has several openings that leave your network vulnerable to attacks. To ensure the security of your network, look into your print spoolers as well so they don’t remain as weak links in your security protocol.
Originally published at SecJuice
Deepak Gupta