Wednesday, March 9, 2022

Micropatches for "SpoolFool" Print Spooler Elevation of Privilege (CVE-2022-21999)

by Mitja Kolsek, the 0patch Team


Security researcher Oliver Lyak published a detailed analysis of a local privilege escalation vulnerability in Windows Print Spooler (CVE-2020-1030), which they had previously reported to Microsoft in November 2021, and a fix for which was included three months later with February 2022 Windows Updates. (Thanks to Cliff Featherstone for pointing out we can't do math as we originally stated this was 15 months later.)

Vulnerability CVE-2022-21999, nicknamed "SpoolFool", complements numerous previously found issues in Windows Print Spooler, and like many of those, uses symbolic links to trick the Print Spooler service running with System privileges into doing something with file system that benefits the local attacker.

In this case (see proof-of-concept), the attacker makes the Print Spooler service change permissions of an attacker-chosen folder on the computer such that everyone can create files in it. It does so by creating a printer (any user can do that by default on a Windows workstation) with its own dedicated spooler folder. When Print Spooler service is restarted, it checks every printer's spooler folder to make sure it's there and properly set up - if the folder doesn't exist, the service creates it, and if the folder doesn't allow all users to write to it, it sets everyone-write permissions on it.

Oliver noticed that creating a symbolic link from a printer's spooler folder to some system folder results in Print Spooler service setting such permissions to said system folder, thus allowing the attacker to create arbitrary files there. Having this capability, the attacker can get their own executable launched by some system process.

Microsoft's patch changed the behavior of Print Spooler service such that upon restart, it no longer creates a spooler folder or change its permissions, thus redirecting printers with misconfigured spooler folders to the default spooler folder. Our micropatch does effectively the same.

The micropatch was written for the following Windows versions that don't receive official patches from Microsoft:

  1. Windows 10 v1803 updated to May 2021
  2. Windows 10 v1809 updated to May 2021
  3. Windows 10 v2004 updated to December 2021
  4. Windows 7 updated with ESU year 2, ESU year 1 or updated to January 2020
  5. Windows Server 2008 R2 updated with ESU year 2, ESU year 1 or updated to January 2020

This micropatch has already been distributed to all online 0patch Agents with a PRO or Enterprise license. To obtain the micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch. 

To learn more about 0patch, please visit our Help Center

We'd like to thank Oliver Lyak for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.

No comments:

Post a Comment