Windows Print Spooler Service - A turbulent history

11-minute read
research
Table of contents :

Introduction

The Microsoft Windows operating system Print Spooler is a service for managing print jobs. The executable for this service is spoolsv.exe and this service is enabled by default on most Microsoft Windows systems.

It has been impacted by a large number of vulnerabilities in recent years, and was the vector for the propagation of the virus Stuxnet developed by the United States. In the light of the number of vulnerabilities found on this service activated by default and its exploitation by state actors, we can wonder if its activation by default is not intentional.

Recently, a large number of new critical vulnerabilities have been released. The CVE-2021-1675 (also known as PrintNightmare) and the CVE-2021-34527 are only the most publicized recently.

Here is the list of known vulnerabilities on the print spooler service with details year by year:

Vulnerabilities disclosed in 2021

CVE-2021-41333 - Local Privilege Escalation Vulnerability (LPE)

This vulnerability allows local attackers to escape the low integrity sandbox on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Print Spooler service. The service can be abused to create an arbitrary file. An attacker can leverage this vulnerability to execute code in the context of the current user at medium integrity.

CVE-2021-41332 - Information Disclosure Vulnerability

Windows Print Spooler Information Disclosure Vulnerability

CVE-2021-40447 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38667, CVE-2021-38671.

CVE-2021-38671 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38667, CVE-2021-40447.

CVE-2021-38667 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38671, CVE-2021-40447.

CVE-2021-36958 - Remote Code Execution Vulnerability (RCE)

Windows Print Spooler Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-36936, CVE-2021-36947.

CVE-2021-36947 - Remote Code Execution Vulnerability (RCE)

Windows Print Spooler Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-36936, CVE-2021-36958.

CVE-2021-36936 - Remote Code Execution Vulnerability (RCE)

Windows Print Spooler Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-36947, CVE-2021-36958.

CVE-2021-34527 - (PrintNightmare) Remote Code Execution Vulnerability (RCE)

When using RPC protocols to add a new printer (RpcAsyncAddPrinterDriver of MS-PAR or RpcAddPrinterDriverEx of MS-RPRN) a client has to provide multiple parameters to the Print Spooler service:

  • pDataFile - The path to a data file for this printer
  • pConfigFile - The path to a configuration file for this printer
  • pDriverPath - The path to the printer’s driver file to use while it’s working.

The service makes several checks to ensure pDataFile and pDriverPath are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder %SYSTEMROOT%\system32\spool\drivers\x64\3\ (on x64 versions of the OS).

Now, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the NT Authority\System group process.

CVE-2021-34483 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2021-34481 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2021-26878 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1640.

CVE-2021-1695 - Local Privilege Escalation Vulnerability (LPE)

This vulnerability allows local malicious users to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Print Spooler service. By creating a directory junction, an attacker can abuse the Print Spooler service to create a file in an arbitrary location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

CVE-2021-1695 Elevation of Privilege Vulnerability

CVE-2021-1675 - (PrintNightmare) Local Privilege Escalation Vulnerability (LPE)

The local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there’s a difference in the entrypoint function (AddPrinterDriverEx). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.

CVE-2021-1675 Remote Code Execution Vulnerability

An authenticated attacker calling AddPrinterDriverEx() (UUID: 12345678-1234-abcd-ef00-0123456789ab)

CVE-2021-1640 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26878.

Vulnerabilities disclosed in 2020

CVE-2020-17042 - Remote Code Execution Vulnerability (RCE)

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2020-17014 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17001.

CVE-2020-17001 - Local Privilege Escalation Vulnerability (LPE)

Windows Print Spooler Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17014.

CVE-2020-1337 - (PrintDemon 2) Local Privilege Escalation Vulnerability (LPE)

CVE-2020-1337 Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka ‘Windows Print Spooler Elevation of Privilege Vulnerability’.

CVE-2020-1070 - Local Privilege Escalation Vulnerability (LPE)

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka ‘Windows Print Spooler Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-1048.

CVE-2020-1048 - (PrintDemon) Elevation of Privilege Vulnerability

To exploit the CVE-2020-1030 Elevation of Privilege Vulnerability, unprivileged users can add a new printer port pointing to a file. Because of improper checks (there is client side checks, but no server side checks) an attacker can point the printer port to privileged files and overwrite them when printing. This achieves arbitrary file writing as NT Authority\System on the filesystem. To elevate its privileges, an attacker could run this powershell command Add-PrinterPort -Name c:\windows\system32\ualapi.dll to create a printer port pointing to the User Access Logging. The attacker can then print a custom DLL to this printer port and execute code as NT Authority\System.

CVE-2020-1030 - Local Privilege Escalation Vulnerability (LPE)

To exploit the CVE-2020-1030 Elevation of Privilege Vulnerability, unprivileged users needs to chain several primitives to load an arbitrary DLL into the print spooler process. This results in arbitrary code execution as NT Authority/SYSTEM.

Vulnerabilities disclosed in 2019

CVE-2019-0759 - Information Disclosure Vulnerability

An information disclosure vulnerability exists when the Windows Print Spooler does not properly handle objects in memory, aka ‘Windows Print Spooler Information Disclosure Vulnerability’.

Vulnerabilities disclosed in 2016

CVE-2016-3238 - Remote Code Execution Vulnerability (RCE)

To exploit the CVE-2016-3238 Remote Code Execution Vulnerability, an attacker must be able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network. The Windows Print Spooler service does not properly validate print drivers when installing the driver from a remote server, therefore allowing arbitrary code to be executed on the target system.

CVE-2016-3239 - Local Privilege Escalation Vulnerability (LPE)

A local user can run a specially crafted program to exploit a flaw in the Windows Print Spooler service and write an arbitrary file on the target system. This can be exploited to execute arbitrary code on the target system from a local account.

CVE-2016-3239 Elevation of Privilege Vulnerability

Vulnerabilities disclosed in 2013

CVE-2013-1339 - Remote Code Execution Vulnerability (RCE)

The Print Spooler in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly manage memory during deletion of printer connections, which allows remote authenticated users to execute arbitrary code via a crafted request, aka “Print Spooler Vulnerability.”

CVE-2013-0011 - Remote Code Execution Vulnerability (RCE)

The Print Spooler in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted print job, aka “Windows Print Spooler Components Vulnerability.”

Vulnerabilities disclosed in 2009

CVE-2012-1851 - Remote Code Execution Vulnerability (RCE)

Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response, aka “Print Spooler Service Format String Vulnerability.”

Vulnerabilities disclosed in 2009

CVE-2010-2729 - Remote Code Execution Vulnerability (RCE)

The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka “Print Spooler Service Impersonation Vulnerability.”

Vulnerabilities disclosed in 2009

CVE-2009-0230 - Remote Code Execution Vulnerability (RCE)

The Windows Print Spooler in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 allows remote authenticated users to gain privileges via a crafted RPC message that triggers loading of a DLL file from an arbitrary directory, aka “Print Spooler Load Library Vulnerability.”

CVE-2009-0229 - Arbitrary File Read (AFR)

The Windows Printing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 allows local users to read arbitrary files via a crafted separator page, aka “Print Spooler Read File Vulnerability.”

CVE-2009-0228 - Remote Code Execution Vulnerability (RCE)

Stack-based buffer overflow in the EnumeratePrintShares function in Windows network print provider (win32spl.dll) of the Print Spooler in Microsoft Windows 2000 SP4 allows remote printer servers to execute arbitrary code via a crafted ShareName in a response to an RPC request, related to “printing data structures”.

Vulnerabilities disclosed in 2006

CVE-2006-6296 - Denial of Service (DoS)

The RpcGetPrinterData() (uuid: 12345678-1234-abcd-ef00-0123456789ab, opnum 26) function in the Print Spooler (spoolsv.exe) service in Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to cause a denial of service (memory consumption) via an RPC request that specifies a large ‘offered’ value (output buffer size), a variant of CVE-2005-3644.

Vulnerabilities disclosed in 2005

CVE-2005-1984 - Remote & Local Privilege Escalation Vulnerability (RCE & LPE)

A remote or local authenticated attacker can trigger a buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003. This allows attackers to execute arbitrary code as NT Authority\System via a malicious message.

Vulnerabilities disclosed in 1999

CVE-1999-0899 - Local Privilege Escalation Vulnerability (LPE)

A local user can load custom code as a print provider, because of incorrect permissions in Windows NT 4.0 print spooler. Because print providers run as NT Authority\System, this would allow the user to escalate to system privileges on the machine. This vulnerability cannot be exploited remotely.

CVE-1999-0898 - Remote Code Execution Vulnerability (RCE)

A remote authenticated attacker can exploit this vulnerability by triggering a buffer overflow in the Windows Print Spooler process via a malformed spooler request. This allows to execute arbitrary code on the machine as NT Authority\System. Most of the API calls needs Administrator rights to be called, but at least one can be called by a normal user.

Mitigations

In order to mitigate these vulnerabilities, it is strongly recommended to disable the print spooler service on servers that do not use it.

References