Introduction: Fooling with SpoolFool
On February 08, 2022, Microsoft published updates for CVE-2022-21999 as part of its Patch Tuesday program. This vulnerability affects the Windows Print Spooler service and is a workaround for CVE-2022-1030 fixes.
The vulnerability (CVE-2022-21999), which has a CVSS score of 7.8 (High), allows the attacker elevated rights if exploited successfully. It will, however, require an initial foothold in the system since it is a local privilege escalation vulnerability.
Background: History Repeats!
Microsoft addressed a privilege escalation vulnerability in Windows Print Spooler in May 2020. Microsoft acknowledged Peleg Hadar and Tomer Bar of SafeBreach Labs for reporting the security problem, which was assigned CVE-2020–1048. Yarden Shafir and Alex Ionescu published a technical write-up of the vulnerability on the same day as the patch was released. In essence, a user could create a printer port that pointed to a file on a disc and write to it. Once the vulnerability (CVE-2020-1048) is fixed, the Print Spooler would check if the user has permission to create or write to the file before creating a port.
Paolo Stagno discreetly provided a bypass for CVE-2020-1048 to Microsoft a week after the patch was released. Three months later, in August 2020, the bypass was patched, and Microsoft thanked eight different organizations for reporting the issue, which was designated as CVE-2020-1337. To get around the vulnerability’s security check, the bypass employed a directory junction (symbolic link).
Symbolic Link
A symbolic link, also known as a soft link, is a type of file similar to a Windows shortcut or a Macintosh alias, links to another file. A symbolic link, unlike a hard link, does not include the data in the target file. It merely refers to another location in the file system. This distinction confers on symbolic link properties that hard links lack, such as the ability to link to directories or files on remote machines connected through NFS. Furthermore, when you remove a target file, symbolic links to it become worthless, but hard-links keep the file’s contents.
Fig-1: Created a Hard Link to a file
Fig-2: Created a Symbolic Link
CVE-2020–1048 and CVE-2020–1337, respectively, were fixed in May and August 2020. Microsoft addressed a separate issue in the Print Spooler in September 2020. In summary, by specifying the SpoolDirectory property on a printer, users were able to establish arbitrary and readable directories. What was the purpose of the patch? Before establishing the SpoolDirectory attribute on a printer, the Print Spooler would now verify if the user had permission to create the directory.
Global Exposure Analysis
A quick search in Shodan for “pjl” and port 9100 reveals that over 17000 instances are potentially exposed to this vulnerability, South Korea and the United States being the top two in the list.
Note: Pjl stands for Printer Job Language and port 9100 is the port on which many printers run by default.
Heat Maps from Shodan Report
CSW – Client Timeline
In the past, CSW has found these type of vulnerabilities and alerted clients about their systems being at the risk of exploitation, and helped them patch the vulnerability in time to avoid potential compromise.
Stitch the Patch!
This issue (CVE-2022-21999) affects not only Windows 11, 10, 8.1, and 7, but also Windows Server 2008, 2012, 2016, and 2019. Check out the comprehensive list of known vulnerable software configurations here.
To prevent havoc with your print spooler service, Microsoft has provided updates, therefore update your systems as soon as possible. Patch Now!
That is all there is to it. Microsoft has issued an official fix. The Windows Error Reporting Service (WER) is misused to attack an arbitrary directory creation primitive, according to this article by Jonas L from Secret Club. The method, however, did not appear to operate dependably on a Windows 10 PC. The SplLoadLibraryTheCopyFileModule, on the other hand, is quite trustworthy, but it does presume that the user can operate a printer, which is already the case for this vulnerability.
The print spooler has been in the center of this storm for a while now, and it appears like there will be some time before there is any indication of relief, or at least that’s what Oliver Lyan’s foreboding “to be continued…” at the end of his piece seems to imply.
CSW’s Vulnerability Management as a Service (VMaaS) offers full coverage encompassing your entire IT landscape and detects, prioritizes, fixes vulnerabilities on your organizational infrastructure and provides access to the award-winning Risk-Based Vulnerability Management platform to view all your desired results in real-time.
To know more about CSW’s Vulnerability Management as a Service (VMaaS),
Please click here.