A researcher has created a distant print server permitting any Home windows consumer with restricted privileges to realize full management over a tool just by putting in a print driver.
In June, a safety researcher unintentionally revealed a zero-day Home windows print spooler vulnerability often called PrintNightmare (CVE-2021-34527) that allowed distant code execution and elevation of privileges.
Since then, researchers have continued to plot new methods to use the vulnerability, with one researcher creating an Web-accessible print server permitting anybody to open a command immediate with administrative privileges.
Now anybody can get Home windows SYSTEM privileges
Safety researcher and Mimikatz creator Benjamin Delpy has been on the forefront of constant PrintNightmare analysis, releasing a number of bypasses and updates to exploits via specially crafted printer drivers and by abusing Home windows APIs.
For example his analysis, Delpy created an Web-accessible print server at printnightmare[.]gentilkiwi[.]com that installs a print driver and launches a DLL with SYSTEM privileges.
Initially, the launched DLL would write a log file to the C:WindowsSystem32 folder, which ought to solely be writable by customers with elevated privileges.
Need to check #printnightmare (ep 4.x) user-to-system as a service?
(POC solely, will write a log file to system32)
connect with https://t.co/6Pk2UnOXaG with
– consumer: .gentilguest
– password: password
Open ‘Kiwi Legit Printer – x64’, then ‘Kiwi Legit Printer – x64 (one other one)’ pic.twitter.com/zHX3aq9PpM
— Benjamin Delpy (@gentilkiwi) July 17, 2021
As some folks didn’t consider his preliminary print driver might elevate privileges, on Tuesday, Delpy modified the motive force to launch a SYSTEM command immediate as a substitute.
This new methodology successfully permits anybody, together with risk actors, to get administrative privileges just by putting in the distant print driver. As soon as they acquire administrative rights on the machine, they’ll run any command, add customers, or set up any software program, successfully giving them full management over the system.
This system is particularly helpful for risk actors who breach networks for the deployment of ransomware because it permits fast and easy accessibility to administrative privileges on a tool that helps them unfold laterally via a community.
BleepingComputer put in Delpy’s print driver on a totally patched Home windows 10 21H1 PC as a consumer with ‘Normal’ (restricted) privileges to check this system.
As you possibly can see, as soon as we put in the printer and disabled Home windows Defender, which detects the malicious printer, a command immediate was opened that gave us full SYSTEM privileges on the pc.
Once we requested Delpy if he was involved that risk actors have been abusing his print server, he informed us that one of many driving causes he created it’s to stress “Microsoft to make some priorities” into fixing the bug.
He additionally stated that it is inconceivable to find out what IP addresses belong to researchers or risk actors. Nonetheless, he has firewalled Russian IP addresses that seemed to be abusing the print servers.
Mitigating the brand new printer vulnerability
As anybody can abuse this distant print server on the Web to get SYSTEM stage privileges on a Home windows system, Delpy has provided a number of methods to mitigate the vulnerability.
Possibility 1: Disable the Home windows print spooler
Probably the most excessive approach to stop all PrintNightmare vulnerabilities is to disable the Home windows Print spooler utilizing the next instructions.
Cease-Service -Title Spooler -Pressure Set-Service -Title Spooler -StartupType Disabled
Nonetheless, utilizing this mitigation will stop the pc from with the ability to print.
Possibility 2: Block RPC and SMB visitors at your community boundary
As Delpy’s public exploit makes use of a distant print server, you need to block all RPC Endpoint Mapper (
135/tcp) and SMB (
445/tcp) visitors at your community boundary.
Nonetheless, Dormann warns that blocking these protocols could trigger present performance to now not work as anticipated.
“Observe that blocking these ports on a Home windows system could stop anticipated capabilities from functioning correctly, particularly on a system that features as a server,” defined Dormann.
Possibility 3: Configure PackagePointAndPrintServerList
One of the best ways to forestall a distant server from exploiting this vulnerability is to limit Level and Print performance to a listing of accredited servers utilizing the ‘Bundle Level and print – Authorized servers’ group coverage.
This coverage prevents non-administrative customers from putting in print drivers utilizing Level and Print except the print server is on the accredited record.
Utilizing this group coverage will present the most effective safety towards the identified exploit however won’t stop a risk actor from taking on an allowed print server with malicious drivers.