Maddie Stone and James Forshaw

The Print Spooler Bug that Wasn’t in the Print Spooler

Abstract

It all started with a “Print Spooler” 0-day privilege escalation, CVE-2022-41073, on investigation the fix in the spooler was almost trivial. However, based on issues Project Zero has discovered in the past it was clear the real vulnerability was inside the Windows DLL loader. To understand the fix a deeper dive into the internals of the loader and the role CSRSS plays in handling side by side assemblies was necessary, leading to the discovery of a series of not quite complete patches.

This talk takes you through the process of root causing an in-the-wild “Print Spooler” bug: from patch diffing, to finding an exploit sample, to diving into months of changes within Windows DLL loader. The result was identifying a Project Zero bug from 2019 which might have been the first variant of the 2022 vulnerability exploited in the wild.

We’ll give a primer on Windows Activation Contexts and the evolution of bugs in the area. We’ll look into a series of related bugs, going back many years, including three that were known to be actively exploited. We’ll also detail the many iterative fixes that Microsoft deployed that led to so many bugs, making this a prime attack surface. Finally, we’ll go over the new mitigations that Windows added in late 2022 and early 2023.

BIO

Maddie Stone

Maddie Stone (@maddiestone) is a Security Researcher on Google Project Zero where she focuses on 0-days actively exploited in-the-wild. Over the past three years, Maddie has led efforts on tracking, detection, and analysis of these in-the-wild 0-days. She has found vulnerabilities in many major platforms including Safari, Chrome, Android, and Windows. Previously, she was a reverse engineer and team lead on the Android Security team.

James Forshaw

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the book “Attacking Network Protocols” available from NoStarch Press.