Microsoft is yet to fully address the PrintNightmare security vulnerability. And now, a new variant of the same can potentially grant Administrator privileges to any Windows user. Basically, the new method uses a remote print server to grant elevated access rights.
A remote print server can grant any Windows user, with limited privileges, complete control over a PC merely by installing a print driver. The security loophole is essentially an extension of the PrintNightmare vulnerability.
A simple print server can completely break Windows 10 OS user access controls and grant Administrator privileges to anyone?
Earlier this year, a security researcher accidentally revealed a zero-day Windows print spooler vulnerability. The PrintNightmare vulnerability is tagged as CVE-2021-34527, and it allows Remote Code Execution (RCE) and elevation of privileges on a Windows PC.
Microsoft has been battling the security loophole but several “security researchers” keep finding new ways of exploiting the same.
"Security researcher and Mimikatz creator Benjamin Delpy has publicly disclosed a new zero-day vulnerability that allows a threat actor to easily achieve SYSTEM privileges on a Windows machine through a remote print server under their control."https://t.co/U9s0m6Dlfc
— Bad Packets (@bad_packets) July 18, 2021
Now, a researcher has created an Internet-accessible print server. The remote print server allows anyone to open a command prompt with administrative privileges.
Simply put, there are multiple bypasses and updates to the original PrintNightmare exploit. Researchers are creating printer drivers and abusing Windows APIs to achieve RCE by gaining Admin-level rights.
Earlier this month, security researcher and Mimikatz creator Benjamin Delpy created an Internet-accessible print server at a website that installs a print driver and launches a DLL with SYSTEM privileges.
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)
connect to \https://t.co/6Pk2UnOXaG with
– user: .gentilguest
– password: password
Open 'Kiwi Legit Printer – x64', then 'Kiwi Legit Printer – x64 (another one)' pic.twitter.com/zHX3aq9PpM
— 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021
This week, Delpy modified the driver to launch a SYSTEM command prompt. As the Tweet illustrates, the method can allow anyone to instantly gain elevated ‘Administrative’ privileges simply by installing the weaponized remote print driver.
Needless to add, with Administrative rights on a machine, anyone can run any command, add users, or install any software. Simply put, a remote print server effectively gives anyone, including threat actors, complete control over the system.
Interestingly, Delpy claims he openly shared the print server exploit to pressure “Microsoft to make some priorities” into fixing the bug. The researcher reportedly insists that Russian IP addresses appear to be abusing the print servers.
How to mitigate an easily and openly available remote print server PrintNightmare exploit?
Delpy may have openly shared the latest PrintNightmare-based exploit, but he has also offered a few methods to mitigate the risk.
A CERT advisory, written by Will Dormann, details the techniques that concerned Windows PC users must follow to protect their devices.
— BleepingComputer (@BleepinComputer) July 31, 2021
The most obvious and drastic method to shield a Windows PC from the latest exploit is to disable the Windows Print spooler. Run the following commands, but do note that they will prevent the computer from printing anything:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Prioritise defence for RCE in latest epsiode of #printnightmare🔥🖨️
Disable outbound SMB. Adversaries can instead use MS-WPRN, so….
Group policy, enable 'Package Point and print-Approved servers'. Print servers must be approved by admin; endpoint will check driver signatures https://t.co/3CWvz8lYVI
— Dray Agha (@Purp1eW0lf) July 19, 2021
Alternatively, limit access to Point and Print functionality to a list of approved servers. The ‘Package Point and print – Approved servers’ group policy is needed. This policy essentially prevents anyone with lower-level or limited access from installing print drivers using Point and Print.
Delpy insists that the PrintNightmare exploit and its derivatives will only keep growing. Hence, it is now up to Microsoft to develop a reliable patch.