Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The DEFCON talk starts with a good background on how printers are used, how to communicate with printers and a lot of good knowledge about printer interaction on the computer. In Windows, Printer Spooler Service.

Why attack the Printer Spooler service? It has System level privileges, has networking tasks and loads many third-party libraries. Additionally, it is 25 years old and has not been really touched in years. These are all great reasons to attack the Printer!

The attack that the talks goes with into is asks the following question: can a malicious printer take control of a computer? A CVE published in 2016 essentially allowed for this printer drivers were automatically being added without user consent. The fix simply adds a user consent check, which pops up a screen to click yes or no on.

The mechanism used to download printer drivers is set by the printer itself! This large set of attributes is sent over prior to deciding what to do with the printer on Windows. Can this be abused?

The CVE from 2016 can be bypassed by setting some of the attributes to particular values! The code hits a different path that just circumvents the dialog check entirely.

Once the consent check was removed, they discovered that .cab files are used for the sending over of printer drivers (which is just a Windows archiving format). Upon reverse engineering the cabinet APIs, a directory traversal was discovered via the Copying API. The API checks for '..\' but NOT '../'.

With the directory traversal, the attacker can write to any location with root privileges. This leads to code execution with ease.

Microsoft Edge also has a sandbox for which processes can access it. The printer is one them. So, the printer service could actually alter the sandbox for Edge because of this.