PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

The point is not how this vulnerability can be exploited which can be done numerous ways.

The point is that installation of a malicious printer .dll driver can still be deployed to gain System privileges and thus kernel mode access.

 

Thank You @itman - Your expert knowledge and sharp wit attention to matters as this is a major support! That experience comes with the territory.

 

As far as the latest print spooler vulnerability, it technically is not related to PrintNightmare which is a RCE vulnerability:

https://www.bleepingcomputer.com/ne...-identity-now-detects-printnightmare-attacks/

 

CVE-2021-1675 is a local elevation of privilege escalation. Nothing for the home user to be concerned about.

 

I thought the danger of printnightmare was that it was a combination of a remote vulnerability and a privilege escalation one?

 

CVE-2021-34527 is the more concerning one.

 

So bottom line, we should still have the Print Spooler service disabled? From what I've read PrintNightmare hasn't been fully patched by Microsoft yet, right?

 

I haven’t bothered disabling it. I print occasionally on a non-networked printer, I’m the only one using my laptop, and that’s it, so I’m not concerned. Different story for sure for business/enterprises.

 

OK, yeah I thought it would be more of an issue for business / enterprises. I don't really have a choice not to network my printer [location] but it is hardly ever on, and I don't print often so I suppose I can disable the service until needed.

I'm also hoping OSA + VS + AV / firewall would offer some protection anyway.

 

It probably does protect in some way, depending on how it’s all configured.

 

With the delay that's ensuing for a solid fix yet, it seems like this niche even has the experts puzzled

 

No doubt, but for a local exploit on a typical home machine to occur, malware would have to be initially on it and running in the first place, most likely through a phishing email attack. This essentially makes it no worse than any other run-of-the-mill malware delivered this way.

 

That is a reasonable assumption

 

Of course it goes without saying, one of the patches listed in the below link should be applied:

https://www.bleepingcomputer.com/news/security/microsoft-printnightmare-security-updates-work-start-patching/

Edit

if you have the MS Known Issue Rollback (KIR) feature installed, you should see this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\4\1861952651

 

Another ........... PrintNightmare RCE vulnerability:

https://www.bleepingcomputer.com/ne...ero-day-exploitable-via-remote-print-servers/

 

Well, most the members here are not concerned and likely not being on a network or running a server or as myself just disable the service.

But those that can be affected by this silly released POC bug ought to patch ASAP. That very term Nightmare conjures up another sparkling example of dissecting every file and services that is unable to self-correct the usual normal course of (in this case) the windows print spooler.

Windows MS seems so infantile of a framework. They have had many years (and experts)of research and tons of hard cash with available tech resources to develop beyond what is still a work-in-progress. Not very 21st century at all.

 

Not to glorify the efforts of the malware players, but they seem smarter and more talented overall than ever before. Maybe of greater importance, unlike years ago, they are mostly motivated by huge profits (ransomware), so Microsoft even with all their high priced talent, are faced with far more challenges than they may have ever possibly bargained for.

 

Agreed! It's becoming evident that they seem to have more current information on windows then the one's who designed it. If it cost MS piles of dough as it has and does their clients it's a sure bet they wouldn't be so careless in providing all the easy open avenues for them in which they operate.

 

Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files
Vulnerability Note VU#131152
July 18, 2021 (Updated: July 19, 2021)
https://kb.cert.org/vuls/id/131152

 

That's what I thought, so you already need to have malware running on the system.

Why so? I still don't see how an attacker would be able to execute malware from remote on a home user PC. Can this be done via some browser exploit?

https://www.tenable.com/blog/cve-20...h-for-printnightmare-vulnerability-in-windows

 

Admittedly it is worse for business/enterprise sectors. I don't know about the possibility of a browser exploit.

 

Probably not likely but we are all too aware anymore how freaking clever picky digital minds can be. And with plenty of success already under their belts as it is.

 

Yes for sure. Just look at the astonishing number of zero day exploits have been revealed in Chrome in the past little while.

 

Yeah it's a seemingly endless revolving door that will only continue. Classic cat and mouse chase to seal up one after the other affectable and infectable many open vectors.

 

Yes, so it's probably much ado about nothing for home user PC's. That's what security experts should make more clear.