A simple remote print server can grant Administrator privileges on any Windows PC: PrintNightmare vulnerability further weaponized for easy deployment and execution

PrintNightmare
A simple remote print server is all it takes to compromise Windows OS Access Control. Pic credit: Listener42/Flickr

Microsoft is yet to fully address the PrintNightmare security vulnerability. And now, a new variant of the same can potentially grant Administrator privileges to any Windows user. Basically, the new method uses a remote print server to grant elevated access rights.

A remote print server can grant any Windows user, with limited privileges, complete control over a PC merely by installing a print driver. The security loophole is essentially an extension of the PrintNightmare vulnerability.

A simple print server can completely break Windows 10 OS user access controls and grant Administrator privileges to anyone?

Earlier this year, a security researcher accidentally revealed a zero-day Windows print spooler vulnerability. The PrintNightmare vulnerability is tagged as CVE-2021-34527, and it allows Remote Code Execution (RCE) and elevation of privileges on a Windows PC.

Microsoft has been battling the security loophole but several “security researchers” keep finding new ways of exploiting the same.

Now, a researcher has created an Internet-accessible print server. The remote print server allows anyone to open a command prompt with administrative privileges.

Simply put, there are multiple bypasses and updates to the original PrintNightmare exploit. Researchers are creating printer drivers and abusing Windows APIs to achieve RCE by gaining Admin-level rights.

Earlier this month, security researcher and Mimikatz creator Benjamin Delpy created an Internet-accessible print server at a website that installs a print driver and launches a DLL with SYSTEM privileges.

This week, Delpy modified the driver to launch a SYSTEM command prompt. As the Tweet illustrates, the method can allow anyone to instantly gain elevated ‘Administrative’ privileges simply by installing the weaponized remote print driver.

Needless to add, with Administrative rights on a machine, anyone can run any command, add users, or install any software. Simply put, a remote print server effectively gives anyone, including threat actors, complete control over the system.

Interestingly, Delpy claims he openly shared the print server exploit to pressure “Microsoft to make some priorities” into fixing the bug. The researcher reportedly insists that Russian IP addresses appear to be abusing the print servers.

How to mitigate an easily and openly available remote print server PrintNightmare exploit?

Delpy may have openly shared the latest PrintNightmare-based exploit, but he has also offered a few methods to mitigate the risk.

CERT advisory, written by Will Dormann, details the techniques that concerned Windows PC users must follow to protect their devices.

The most obvious and drastic method to shield a Windows PC from the latest exploit is to disable the Windows Print spooler. Run the following commands, but do note that they will prevent the computer from printing anything:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Alternatively, limit access to Point and Print functionality to a list of approved servers. The ‘Package Point and print – Approved servers’ group policy is needed. This policy essentially prevents anyone with lower-level or limited access from installing print drivers using Point and Print.

Delpy insists that the PrintNightmare exploit and its derivatives will only keep growing. Hence, it is now up to Microsoft to develop a reliable patch.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x