In this webcast, we will recap the journey of discovering and analyzing 3 Windows 10 Print Spooler 0-day vulnerabilities. We will follow-up our research with an updated 2021 discoveries (by the InfoSec community) about new vulnerabilities. In 2010, Stuxnet, the most powerful malware in the world revealed itself, causing physical damage to Iranian nuclear enrichment centrifuges. In order to reach Iran's centrifuges, it exploited a vulnerability in the Windows Print Spooler service and gain code execution as NT AUTHORITY\SYSTEM.
Due to the hype around this critical vulnerability, we (and probably everyone else) were pretty sure that this attack surface would no longer exist a decade later. We were wrong...
The first clue was that 2 out of 3 vulnerabilities which were involved in Stuxnet were not fully patched. That was the case also for the 3rd vulnerability used in Stuxnet, which we were able to exploit again in a different manner.
It appears that Microsoft has barely changed the code of the Windows Print Spooler mechanism over the last 20 years.
We started to investigate the Print Spooler mechanism in the latest Windows 10 Insider build and discovered two 0-day vulnerabilities providing LPE as SYSTEM and Denial-of-Service. The first one can also be used as a new, unknown persistence technique.
In this webcast, we will present:
- Past Stuxnet’s vulnerabilities and how they were partially patched (even multiple times)
- Our research - The analysis of 3 vulnerabilities in the Windows Print Spooler (DoS, EoP and first patch bypass leading to EoP)
- Spooler Vulns Evolution (Since our Black Hat 2020 Presentation)
- A detailed explanation of how we bypassed the first EoP vuln patch
- 2021 - Printing is still the Stairway to Heaven
- Second EoP patch bypass - We will describe the vulnerability and how Microsoft patched it.
- From EoP to RCE