New Video from @BlackHatOfficialYT Explores Vulnerabilities in Windows Printer Drivers

In this video, Jun Pong, also known as Edward Pong on Twitter, and his colleague Joan Y, both security researchers, explore vulnerabilities in Windows printer drivers. Jun Pong is an associate professor at Huajong University of Science and Technology and a security researcher at Cyberwin. He has extensive experience in vulnerability research and bug hunting, both in academia and industry. The video begins with an introduction to the Windows print spooler service, a dedicated program that manages the order of documents sent to the printer. The print spooler does more than just manage print queues; it also exposes functionalities for adding or removing printers, configuring new printers, and managing print jobs. This service operates with elevated privileges and can be interacted with locally or remotely, making it an attractive target for attacks. The researchers highlight that the print spooler has been a major source of vulnerabilities over the years. For example, the PrintNightmare vulnerability allowed remote code execution by exploiting incorrect checks in the spooler's RPC interface. Microsoft has since implemented several patches and mitigations, but the researchers decided to delve back into the spooler to discover new vulnerabilities. They focus on a new attack surface: the rendering of Windows printer drivers. Printer drivers play a crucial role in rendering documents before printing. The researchers discovered that the XPS (XML Paper Specification) format, used for printed documents, is a potential source of vulnerabilities. They found several CVEs (Common Vulnerabilities and Exposures) in printer driver rendering, including remote code execution and local privilege escalation vulnerabilities. The researchers explain in detail how they used fuzzing techniques to discover these vulnerabilities. They used tools like WinAFL and WinaFL-Cov to fuzz printer drivers and uncover bugs in font processing and ICC (International Color Consortium) profile handling. They also automated the generation of XPS files to test printer drivers. In addition to Microsoft's printer drivers, the researchers also examined third-party drivers and found vulnerabilities in them. They note that Microsoft has introduced a new protection mode for printers, which restricts privileges and prevents the loading of third-party modules, thus reducing the attack surface. In conclusion, the researchers emphasize the importance of disabling the print spooler if it is not necessary, as it remains a major source of vulnerabilities despite Microsoft's efforts to secure it. This video offers a fascinating insight into the methods used by security researchers to discover vulnerabilities and shows that even well-studied components can still contain critical flaws.