tags: #cve-analysis

• metadata
  • CVE #:
  • Related CWE(s):
    • Improper Access Control - (284)
      • Improper Privilege Management - (269)
        • Privilege Context Switching Error - (270)
    • Improper Access Control - (284)
      • Improper Privilege Management - (269)
        • Incorrect Use of Privileged APIs - (648)
  • Related CVE(s):
  • created: 2021-02-03
  • title: MS10-061 Stuxnet Print Spooler bug
  • web:
    • https://i.blackhat.com/USA-20/Thursday/us-20-Hadar-A-Decade-After-Stuxnet-Printer-Vulnerability-Printing-Is-Still-The-Stairway-To-Heaven.pdf
    • http://docshare01.docshare.tips/files/3958/39584034.pdf
    • https://msrc-blog.microsoft.com/2010/09/14/ms10-061-printer-spooler-vulnerability/
    • https://www.exploit-db.com/exploits/16361
  • platform: Windows
  • descriptor tags: #cve #security

CVE-2010-2729

Summary

when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka “Print Spooler Service Impersonation Vulnerability.” -MS:MS10-061

Depending on the configuration, the vulnerability allows a local or remote user to write arbitrary files to %SYSTEM%. This is happens because the spooler does not properly impersonate the user under certain conditions. Fortunately, only a subset of Windows machines are remotely vulnerable, as demonstrated in the chart below.

Components affected

• Windows Print Spooler
• HTTP
• RPC

Security Boundaries

*which security boundaries have been crossed? **

• User - A user cannot access or tamper with the code and data of another user without being authorized.
• Network boundary - An unauthorized network endpoint cannot access or tamper with the code and data on a customer’s device.

Hashtags

connect CVE to a specific topic, event, theme or concept #rce #lpe #EoP #privFileWrite #printers #stuxnet #impersonation #rpc

Requirements

what stars needed to align?

• A network shared printer
• User context - still able to execute this bug as a local user if can add a printer

Fundamental Issue / Root Cause

Depending on the configuration, the vulnerability allows a local or remote user to write arbitrary files to %SYSTEM%. This is happens because the spooler does not properly impersonate the user under certain conditions. Fortunately, only a subset of Windows machines are remotely vulnerable, as demonstrated in the chart below.

Best Fit Vulnerability Class (or CWE) for this CVE

• Incorrect Use of Privileged APIs - (648)
  • Fails to call privileged APIs from user, uses SYSTEM

Is this CVE the Root Cause or a Causal Factor? If not Root, what is?

Choose one:

• root cause - underlying issue or fundamental reason of a problem or issue
• causal factor - major contributor to an undesirable condition that if eliminated, would have either prevented the occurrence of the incident or reduced its severity or frequency

If causal, what is the fundamental issue?

Patch Info

Version

• Date
• Link

Treating a Symptom or Cure?