Microsoft’s print nightmare continues with one other instance of how a risk actor can obtain SYSTEM privileges by abusing malicious printer drivers.
Final month, safety researchers unintentionally disclosed a proof-of-concept exploit for the Windows PrintNightmare zero-day.
This vulnerability is tracked as CVE-2021-34527 and is a lacking permission test within the Home windows Print Spooler that permits for putting in malicious print drivers to attain distant code execution or native privilege escalation on weak programs.
Microsoft released an out-of-band KB5004945 security update that was supposed to repair the vulnerability, however safety researchers shortly decided that the patch could possibly be bypassed under certain conditions.
Nevertheless, Microsoft acknowledged that their patches labored as supposed, and because the vulnerability was being actively exploited, suggested all Home windows customers to put in the replace.
The print nightmare continues
Yesterday, safety researcher and Mimikatz creator Benjamin Delpy stated he discovered a solution to abuse Home windows’ regular technique of putting in printer drivers to achieve native SYSTEM privileges via malicious printer drivers.
This method can be utilized even when admins utilized Microsoft’s recommended mitigations of proscribing printer driver set up to admins and disabling Level and Print.
#printnightmare – Episode 3
You recognize that even patched, with default config (or safety enforced with #Microsoft settings), a normal person can load drivers as SYSTEM?
— Benjamin Delpy (@gentilkiwi) July 15, 2021
Whereas this new native privilege escalation technique will not be the identical because the one generally referred to PrintNightmare, Delpy informed BleepingComputer that he considers related printer driver set up bugs to be categorized beneath the identical identify.
In a dialog with BleepingComputer, Delpy defined that even with mitigations utilized, a risk actor might create a signed malicious print driver package deal and use it to attain SYSTEM privileges on different programs.
To do that, the risk actor would create a malicious print driver and signal it utilizing a trusted Authenticode certificates using these steps
Nevertheless, some risk actors go for the “Rolls Royce” technique of signing drivers, which is to purchase or steal an EV certificates after which submit it for Microsoft WHQL validation as a pretend firm.
As soon as they’ve a signed printer driver package deal, a risk actor can set up the motive force on some other networked gadget the place they’ve administrative privileges.
Risk actors can then use this “pivot” gadget to achieve SYSTEM privileges on different units the place they don’t have elevated privileges just by putting in the malicious driver, as proven by the video beneath.
Delpy stated that this system could possibly be used to assist risk actors unfold laterally in an already compromised community.
When requested how Microsoft might stop this kind of assault, Delpy acknowledged that they tried to forestall it up to now by deprecating model 3 printer drivers. In the end, this precipitated issues, and Microsoft ended the v3 deprecation policy in June 2017.
Sadly, this technique will seemingly not be mounted as Home windows is designed to permit an administrator to put in a printer driver, even ones that could be unknowningly malicious. Moreover, Home windows is designed to permit non-admin customers to put in signed drivers on their units for ease of use.
As a substitute, safety software program will seemingly be the first protection in opposition to assaults like this by detecting the malicious driver or conduct.
BleepingComputer has contacted Microsoft concerning the difficulty however has not heard again.