CVE CyberSecurity Database News

CVE-2023-24887 - Unpacking the Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

Poster -

When you print documents using Windows, you probably don’t think about your printer drivers. But not all is safe in print paradise. In early 2023, a critical bug was found in Microsoft’s built-in printer drivers that could let hackers take over your computer – all without your knowledge. This vulnerability is tracked as CVE-2023-24887. In this exclusive long read, you’ll learn what happened, why it matters, and how attackers could exploit this flaw. We’ll also explore example code snippets and link out to the most important references.

What is CVE-2023-24887?

CVE-2023-24887 is a Remote Code Execution (RCE) vulnerability in the Microsoft Windows PostScript and PCL6 Class Printer Driver. It was discovered by Microsoft and published as part of their March 2023 Patch Tuesday release.

Affected Systems:

Windows Server 2016, 2019, 2022

The core issue is in the handling of certain malicious print jobs sent to the vulnerable class printer drivers. When processed, these print jobs can execute harmful code on your system under the SYSTEM account, giving attackers complete control.

Why Is This Dangerous?

PostScript and PCL6 are standard languages that a lot of printers use. To make printing easy, Microsoft bundles default drivers for these languages in Windows.

…your PC could get infected.

Remote Code Execution (RCE) means a hacker could install programs, steal data, or move laterally to other devices on your network. Scary stuff.

2. Exploit Scenario

An attacker creates a malicious print job (using PostScript or PCL6, depending on the printer class) and sends it to a shared printer, or convinces a victim to print a dangerous file.

Vulnerability type:  
According to Microsoft, the vulnerability arises from improper parsing of malicious printer files, leading to buffer overflows or unsafe memory writes.

Craft a Malicious PostScript File

PostScript is essentially code. If the driver fails to sandbox or restrict what PostScript code can do, it could process harmful commands. The attacker includes code that overflows a buffer.

Snippet: Malicious PostScript (Proof of Concept)

%!PS-Adobe
%%Title: CVE-2023-24887 PoC
%%BoundingBox:   100 100
%%EndComments
/Buffer 100 string def
 1 500 { Buffer exch (A) put } for % Writes 500 bytes instead of 100 – overflow
showpage

*Note: The actual proof-of-concept is more complex, but you get the idea: intentionally writing outside the buffer boundary.*

Local: Victim double-clicks a malicious file or drag-and-drops it into the print dialog.

- Remote: Attacker sends file to a network-shared printer or intercepts network traffic to inject the job.

Achieve Code Execution

When the vulnerable driver tries to process the file, it hits the overflow, overwrites the stack, and executes attacker’s payload (which could open a reverse shell or download malware).

Exploit Power

Because print spooler services often run as SYSTEM, this exploit gives attackers full control over the victim's machine.

1. Patch Immediately

Microsoft fixed this on March 14, 2023. Make sure your Windows computers are up to date.

Reference:  
- Microsoft Official Advisory for CVE-2023-24887

3. Isolate Print Servers

Don’t use your print server on the same machine as sensitive services.

4. Disable Unnecessary Drivers

Remove unused or legacy printer drivers (like PS Class or PCL6) if you don’t need them.

Responsible Disclosure

At the time of writing, publicly available exploit code is limited, but researchers have demonstrated proof-of-concept attacks in restricted environments. Out of caution, detailed weaponized exploits are not openly published. Microsoft's patch closes the hole tightly, so update all Windows machines!

References & Resources

- Microsoft CVE-2023-24887 Guidance
- NIST National Vulnerability Database: CVE-2023-24887 Entry
- Printer Exploitation Basics for Windows
- Intro to PostScript Attacks

Final Thoughts

Even humble printer drivers can have bugs with serious consequences. CVE-2023-24887 shows why applying security updates – and not trusting untrusted print jobs – is important for everyone.

If you run shared printers or manage a Windows fleet, patching is critical. Don’t let a simple print job put your whole network at risk.

Timeline

Published on: 04/11/2023 21:15:00 UTC
Last modified on: 04/14/2023 15:02:00 UTC