Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer

Conference:  BlackHat USA 2021



The presentation discusses the vulnerabilities in the spooler service and the potential risks it poses to computer systems. It also highlights the importance of disabling the spooler service if it is not needed.
  • The spooler service has both logic and memory corruption bugs that make it a dangerous attack surface.
  • The vulnerabilities in the spooler service can allow attackers to write arbitrary content into arbitrary files.
  • The presentation provides an anecdote about how a logical bug in the printing process can lead to arbitrary file writing issues.
  • Microsoft has released a patch to fix some of the vulnerabilities in the spooler service, but there are still risks associated with it.
  • The presentation recommends disabling the spooler service if it is not needed to prevent potential attacks.
The presentation provides an example of how a logical bug in the printing process can lead to arbitrary file writing issues. If a user adds a printer job to the print queue but forgets to zoom the printer job and then restarts their computer, the shadow job in the printer queue won't be deleted. If a user resumes this printer job, the content of the printer job will be written to the printer port specified. This can cause an arbitrary file writing issue and a little LPE.


Ten years ago, an escalation of privilege bug in Windows Printer Spooler was used in Stuxnet, which is a notorious worm that destroyed the nuclear enrichment centrifuges of Iran and infected more than 45000 networks. In the past ten years, spooler still has an endless stream of vulnerabilities disclosed, some of which are not known to the world, however, they are hidden bombs that could lead to disasters. Therefore, we have focused on spooler over the past months and reaped fruitfully.The beginning of the research is PrintDemon from which we get inspiration. After digging into this bug deeper, we found a way to bypass the patch of MS. But just after MS released the new version, we immediately found a new way to exploit it again. After the story of PrintDemon, we realized that spooler is still a good attack surface, although security researchers have hunted for bugs in spooler for more than ten years. We started to explore the inner working of Printer Spooler and discovered some 0-day Bugs in it. Some of them are more powerful than PrintDemon and easier to exploit, and the others can be triggered from remote which could lead to remote code execution.