The public print server grants anyone Windows administrator privileges

The public print server grants anyone Windows administrator privileges

The public print server grants anyone Windows administrator privileges

A researcher has created a remote print server that allows any Windows user with limited privileges to gain complete control over a computer by installing a print driver.

In June, a security researcher accidentally revealed a zero-day Windows spooler vulnerability known as PrintNightmare (CVE-2021-34527) that allowed remote code execution and elevation of privilege.

While Microsoft released a security update to correct the vulnerability, researchers quickly discovered ways to bypass the patch under certain conditions.

Since then, researchers have continued to come up with new ways to exploit the vulnerability, with one researcher creating an Internet-accessible print server that allows anyone to open a command prompt with administrative privileges.

Now anyone can get Windows SYSTEM privileges

Security researcher and creator of Mimikatz Benjamin Delpy has been at the forefront of ongoing Print Nightmare research, releasing multiple bypass and exploit updates through specially crafted printer drivers and through the use of Windows APIs.

To illustrate his research, Delpy created a print server with internet access at printnightmare[.]gentilkiwi[.]com that installs a print driver and starts a DLL with SYSTEM privileges.

Initially, the launched DLL would write a log file to the C: Windows System32 folder, which should only be able to be written by users with elevated privileges.

Because some people didn’t believe their initial print driver could elevate privileges, Delpy on Tuesday modified the driver to launch a SYSTEM command line instead.

This new method allows anyone, including threat actors, to elevate administrative privileges simply by installing the remote print driver. Once they gain administrative rights to the machine, they can run any command, add users, or install any software, giving them full control over the system.

This technique is especially useful for threat actors who breach networks for ransomware deployment, as it allows quick and easy access to administrative privileges on a device that helps them spread laterally across a network.

BleepingComputer installed the Delpy print driver on a fully patched Windows 10 21H1 PC as a user with ‘Standard’ (limited) privileges to test this technique.

As you can see, once we installed the printer and disabled Windows Defender, which detects the malicious printer, a command prompt opened giving us full SYSTEM privileges on the computer.

When we asked Delpy if he was concerned that threat actors were abusing his print server, he told us that one of the main reasons he created it is to pressure “Microsoft to set some priorities” to fix the bug. .

He also said that it is impossible to determine which IP addresses belong to researchers or threat actors. However, it has protected Russian IP addresses with firewalls that appeared to be abusing the print servers.

Mitigate the vulnerability of the new printer

Since anyone can abuse this remote print server on the Internet to gain SYSTEM level privileges on a Windows device, Delpy has offered several ways to mitigate the vulnerability.

These methods are described in a CERT Notice written by Will dormann, Vulnerability Analyst for CERT / CC.

Option 1: disable Windows print queue

The most extreme way to prevent all PrintNightmare vulnerabilities is to disable the Windows print queue using the following commands.

Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

However, using this mitigation will prevent the computer from being able to print.

Option 2: block RPC and SMB traffic at the edge of your network

Since Delpy’s public exploit uses a remote print server, it should block all RPC Endpoint Mappers (135/tcp) and SMB (139/tcp other 445/tcp) traffic on the edge of your network.

However, Dormann cautions that blocking these protocols can cause existing functionality to stop working as expected.

“Keep in mind that blocking these ports on a Windows system can prevent expected capabilities from working properly, especially on a server-based system,” explained Dormann.

Option 3: configure PackagePointAndPrintServerList

The best way to prevent a remote server from exploiting this vulnerability is to restrict Point and Print functionality to a list of approved servers using the ‘Package and Print – Approved Servers’ group policy.

The public print server grants anyone Windows administrator privileges

Packet and Print Point – Approved Server Group Policy

This policy prevents non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list.

Using this group policy will provide the best protection against the known exploit, but will not prevent a threat actor from taking over a permitted print server with malicious drivers.

Delpy cautioned that this is not the end of the abuse of the Windows print spooler, especially with new research revealed this week in both the Black hat other Def With security conferences.