PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

After some research because it is necessary at this point, it looks like according to these vendors:
Kaspersky claims to block this. https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/
Trend Micro claims to add some protection. https://success.trendmicro.com/solution/000286888
ESET recommends following the Microsoft recommendations. https://support.eset.com/en/alert8081-protection-against-printnightmare-remote-code-exploit#protect
Unfortunately I don't have time to look into all others. This is the info I found as of right now. My apologies if this goes out of date, which will happen at some point.

 

Whereas at the end of the article they state:

I interpret this to mean "we should be able to block exploiting, but can't guaranty it."

 

Was why I used the words "claims to". There are no guarantees of anything at this point.
I am opting to go with the "Disable the setting to "Allow Print Spooler to accept client connections"" in Group Policy as it allows local printing and should at least reduce the chances of an issue.

 

This is what I did, but there is no Group Policy if you're using Win10 Home.

 

True, but there are workarounds such as this:
https://www.makeuseof.com/tag/access-group-policy-editor-even-windows-home-settings-try/

 

Good new if this workaround actually works as intended.

 

Here's the issue with spoolsv.exe and everyone seems to be avoiding it.

It is not a CIG protected process. If it was, only Microsoft code signed .dlls could be loaded into it. Further, C:\Windows\System32\spool\* only requires admin privileges to modify. So one of the UAC bypasses should do the trick to allow modification activities. Note: Don't make spoolsv.exe a CIG process since odds are your printer's .dll is not MS code signed.

All this means all an attacker has to do is replace your existing printer driver .dll with a malicious one and he's "off and running" with his hack activities.

 

Well, so much for the CIG protection ideal for spoolsv.exe.

Did so and rebooted PC. Immediately open spoolsv.exe in PE. Expanded dlls loaded and my HP printer driver .dlls not loaded. Ahh.... CGI protection option works. Not! I immediately observed the HP printer driver .dlls being loaded although neither were MS code signed; or signed at all.

This yields the conclusion that CGI protection might work for Win 10 developed .exe's, but not for processes vintage Win 95 era as @Krusty noted.

 

This article: https://www.kb.cert.org/vuls/id/383432 is the best I have found to determine if your still exploitable after applying the recent MS patch. Of note is the use of flowchart check steps.

 

0Patch says Windows 7 is not affected... according to their tests. While acknowledging that Microsoft has said Win 7 SP1 is affected, 0Patch blogger Mitja Kolsek stated on July 8, 2021, "We were so far unable to reproduce the problem on Windows 7. Microsoft may know something we don't." Bet he said that with a smile.

Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

 

I'm sorry but I still don't get it. How would an attacker manage to get remote code execution on a home user PC via this exploit?

 

If the printer is attached to the device via a USB cable, the answer is no - it can't be exploited. -Correction- you can be exploited locally:

https://github.com/calebstewart/CVE-2021-1675

However if one is using a shared wireless printer connected to the local home network, it can be exploited:

https://www.bleepingcomputer.com/ne...ntnightmare-patch-fails-to-fix-vulnerability/

 

CISA orders federal agencies to patch Windows PrintNightmare bug
July 13, 2021
https://www.bleepingcomputer.com/ne...agencies-to-patch-windows-printnightmare-bug/

 

Lets see if Patch Tuesday patches really do fix PrintNightmare this time..

 

It's not over folks .............

https://www.bleepingcomputer.com/ne...are-continues-with-malicious-driver-packages/

 

Microsoft Defender for Identity now detects PrintNightmare attacks
July 16, 2021
https://www.bleepingcomputer.com/ne...-identity-now-detects-printnightmare-attacks/

 

What about Windows 8.1? I have had to disable it on several units running 8.

I do keep Windows Defender up to date on them. I wonder if they will update for this too.

 

Does "eploited locally" mean physical access to the computer is required?

 

No.

One of the test exploits at Github used a classic PowerShell Empire attack whereby a Powershell script was run on the local device that remotely connected to a server. The server downloaded another PowerShell script to the local device and ran the script remotely to perform the PrintNightmare exploiting. Note: this remote connection script has since been removed from Github.

Ref.: https://www.wilderssecurity.com/thr...printnightmare-bug.438729/page-2#post-3018389

BTW - a good example why PowerShell outbound connections need to be monitored in a firewall. Also, PowerShell Constrained Language mode stopped the import-module code in the downloaded script from running resulting in the simulated exploit attack failing.

 

Microsoft oversight? Or just another of their infamous ways of adding to the user's risk and possible misery on their platforms.

 

My best guess is Eset bitched about it since I posted in their forum it bypassed their IDS exploit detection for it.

 

Really. PowerShell is a wide open playland to run all sorts of system responsive commands and it obeys.

Ever run commands on it in a test fashion on your local unit? I have. And am amazed at it's potential to perform nearly anything one might decide to make changes in any number of various methods etc. Give it remote access and it's all bets off. No wonder its such a prized piece not only for Service Administrators, but takeover artists who can issue a series of commands and well, we see how that is panning out.

 

Default-deny will only allow what's whitelisted by the user and block everything else.

 

I'm sorry but this doesn't answer my question. Can this be exploited via the browser, simply by visiting a website? If not, then I don't see how this is a threat to home user PC's.

 

So, if I have powershell and cmd locked down on my home computer with NVT OSArmor, does that mean I'm protected from the PrintNightmare attack since I don't know how anyone could access my home network?