Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to realize distant code execution and native privilege escalation with the official repair put in.
After the replace was launched, safety researchers Matthew Hickey, co-founder of Hacker Home, and Will Dormann, a vulnerability analyst for CERT/CC, decided that Microsoft solely fastened the distant code execution part of the vulnerability.
Nonetheless, malware and menace actors might nonetheless use the native privilege escalation part to achieve SYSTEM privileges on susceptible methods.
The Microsoft repair launched for latest #PrintNightmare vulnerability addresses the distant vector – nonetheless the LPE variations nonetheless operate. These work out of the field on Home windows 7, 8, 8.1, 2008 and 2012 however require Level&Print configured for Home windows 2016,2019,10 & 11(?). https://t.co/PRO3p99CFo
— Hacker Incredible (@hackerfantastic) July 6, 2021
Right this moment, as extra researchers started modifying their exploits and testing the patch, it was decided that exploits might bypass your entire patch solely to realize each native privilege escalation (LPE) and distant code execution (RCE).
In line with Mimikatz creator Benjamin Delpy, he might bypass the patch and as soon as once more obtain Distant Code Execution if the Level & Print coverage is enabled.
— Benjamin Delpy (@gentilkiwi) July 7, 2021
Dormann additionally confirmed this patch bypass on Twitter.
To bypass the PrintNightmare patch and obtain RCE and LPE, a Home windows coverage referred to as ‘Level and Print Restrictions’ should be enabled, and the “When putting in drivers for a brand new connection” setting configured as “Don’t present warning on elevation immediate.”
This coverage is situated beneath Laptop Configuration > Administrative Templates > Printers > Level and Print Restrictions.
When enabled, the ‘NoWarningNoElevationOnInstall‘ worth can be set to 1 beneath the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint key.
Home windows Registry Editor Model 5.00
Hickey advised BleepingComputer that he’s nonetheless advising admins and customers to disable the Printer Spooler service to guard their Home windows servers and workstations till a working patch is launched.
“We’re nonetheless advising our shoppers to disable the printer spooler wherever its not required till a repair arrives that addresses this difficulty appropriately,” Hickey advised BleepingComputer.
BleepingComputer has contacted Microsoft concerning the safety replace however has not heard again at the moment.
This can be a growing story.