A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven

The presentation discusses the vulnerabilities found in Microsoft's Print Spooler service and proposes a mitigation solution through a mini filter driver.

• The presentation reports on vulnerabilities found in Microsoft's Print Spooler service.
• The vulnerabilities include local privilege escalation and denial of service attacks.
• The presentation proposes a mitigation solution through a mini filter driver that restricts far-right operations by limited users.
• The mini filter driver is released as a proof of concept and caution is advised when using it in production systems.
• Microsoft plans to address the vulnerabilities in an upcoming patch.

The presenters demonstrate the effectiveness of their mini filter driver by showing how it blocks a task scheduler exploit and prevents arbitrary far-right backlash. They also provide a workaround for restarting the service and address concerns about false positives in their mini filter driver.

In 2010, Stuxnet, the most powerful malware in the world revealed itself, causing physical damage to Iranian nuclear enrichment centrifuges. In order to reach Iran's centrifuges, it exploited a vuln in the Windows Print Spooler service and gain code execution as SYSTEM. Due to the hype around this critical vuln, we (and probably everyone else) were pretty sure that this attack surface would no longer exist a decade later. We were wrong… The first clue was that 2 out of 3 vulns which were involved in Stuxnet were not fully patched. That was the case also for the 3rd vuln used in Stuxnet, which we were able to exploit again in a different manner. It appears that Microsoft has barely changed the code of the Print Spooler mechanism over the last 20 years. We investigated the Print Spooler mechanism of Windows 10 Insider and found two 0-day vulns providing LPE and DoS (First one can also be used as a new persistence technique)