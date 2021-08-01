



The researchers have created a remote print server. This gives Windows users with limited privileges full control over the device simply by installing the print driver.

In June, security researchers mistakenly revealed a vulnerability in a zero-day Windows print spooler called PrintNightmare (CVE-2021-34527). This will allow you to execute code remotely and elevate your privileges.

Microsoft has released a security update to fix the vulnerability, but researchers quickly found a way to bypass the patch under certain conditions.

Since then, researchers have been devising new ways to exploit this vulnerability, and one researcher could create a print server with internet access and anyone could open a command prompt with administrator privileges. I am doing it.

Now anyone can get Windows system privileges

Benjamin Delpy, a security researcher and creator of Mimikatz, is at the forefront of continuing his research on PrintNightmare, with multiple exploits by exploiting the Windows API through a specially crafted printer driver. We are releasing bypasses and updates.

To illustrate his work, Delpy created an internet-accessible print server at \ printnightmare.[.]gentilkiwi[.]Com that installs the print driver and launches the DLL with SYSTEM privileges.

First, the launched DLL writes the log file to the C: Windows System32 folder. This folder should only be writable by users with elevated privileges.

#printnightmare (ep 4.x) Want to test user-to-system service? (POC only, write log file to system32)

\ https: //t.co/6Pk2 Connect to UnOXaG-User :. gentilguest-Password: Password

Open “Kiwi Legit Printer-x64” and then open “Kiwi Legit Printer-x64 (another one)” pic.twitter.com/zHX3aq9PpM

— Benjamin Delpy (@gentilkiwi) July 17, 2021

Some people didn’t believe his first print driver could be privileged, so on Tuesday Delpy changed the driver to launch the SYSTEM command prompt instead.

With this new method, anyone, including a threat attacker, can effectively gain administrative privileges simply by installing a remote print driver. Once you have administrator privileges on your machine, you can execute arbitrary commands, add users, and install arbitrary software, giving you complete control over your system.

This technique is especially useful for threat actors who compromise the network due to ransomware deployment. This provides quick and easy access to administrator privileges on the device so that it can be spread laterally over the network.

Bleeping Computer has installed the Delpy print driver on a fully patched Windows 10 21H1 PC as a user with “standard” (restricted) privileges to test this technique.

As you can see, when I installed the printer and disabled Windows Defender to detect malicious printers, a command prompt opened and I was given full SYSTEM privileges on my computer.

When I asked Delpy if a threat attacker was exploiting a print server, one of the main reasons he created was pressure to “prioritize Microsoft.” He said it was to fix the bug.

He also said it is impossible to determine which IP address belongs to a researcher or threat actor. However, he firewalled a Russian IP address that appeared to be abusing the print server.

Mitigate vulnerabilities in new printers

Delpy offers several ways to mitigate this vulnerability, as anyone can exploit this remote print server on the Internet to gain system-level privileges on Windows devices.

These methods are outlined in the CERT Advisory written by Will Dormann, a CERT / CC vulnerability analyst.

Option 1: Disable Windows Print Spooler

The most extreme way to prevent all PrintNightmare vulnerabilities is to disable the Windows print spooler using the following command:

Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

However, if you use this mitigation, you will not be able to print on your computer.

Option 2: Block RPC and SMB traffic at network boundaries

Since Delpy’s public exploit uses a remote print server, it must block all RPC endpoint mapper (135 / tcp) and SMB (139 / tcp and 445 / tcp) traffic at the network perimeter.

However, Dormann warns that blocking these protocols may cause existing functionality to fail as expected.

“Be aware that blocking these ports on Windows systems can cause the expected functionality to not work properly, especially on systems that act as servers,” explains Dorman.

Option 3: Configure PackagePointAndPrintServerList

The best way to prevent remote servers from exploiting this vulnerability is to use the Package Point and Print-Approved Servers group policy to limit point and print functionality to a list of approved servers.

Package Point and Print-Group Policy for Approved Servers

This policy prevents non-administrator users from using point-and-print to install print drivers unless the print server is on the approved list.

While this Group Policy provides the best protection against known exploits, it does not prevent an attacker from hijacking an authorized print server with a malicious driver.

Delpy warned that this was not the end of Windows print spooler abuse. In particular, new investigations were announced this week at both Black Hat and DefCon security conferences.

