PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

Discussion in 'other security issues & news' started by guest, Jun 30, 2021.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The point is not how this vulnerability can be exploited which can be done numerous ways.

    The point is that installation of a malicious printer .dll driver can still be deployed to gain System privileges and thus kernel mode access.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thank You @itman - Your expert knowledge and sharp wit attention to matters as this is a major support! That experience comes with the territory.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As far as the latest print spooler vulnerability, it technically is not related to PrintNightmare which is a RCE vulnerability:
    https://www.bleepingcomputer.com/ne...-identity-now-detects-printnightmare-attacks/
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    CVE-2021-1675 is a local elevation of privilege escalation. Nothing for the home user to be concerned about.
     
  5. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    I thought the danger of printnightmare was that it was a combination of a remote vulnerability and a privilege escalation one?
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    CVE-2021-34527 is the more concerning one.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    So bottom line, we should still have the Print Spooler service disabled? From what I've read PrintNightmare hasn't been fully patched by Microsoft yet, right?
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I haven’t bothered disabling it. I print occasionally on a non-networked printer, I’m the only one using my laptop, and that’s it, so I’m not concerned. Different story for sure for business/enterprises.
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    OK, yeah I thought it would be more of an issue for business / enterprises. I don't really have a choice not to network my printer [location] but it is hardly ever on, and I don't print often so I suppose I can disable the service until needed.

    I'm also hoping OSA + VS + AV / firewall would offer some protection anyway.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    It probably does protect in some way, depending on how it’s all configured.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    With the delay that's ensuing for a solid fix yet, it seems like this niche even has the experts puzzled
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    No doubt, but for a local exploit on a typical home machine to occur, malware would have to be initially on it and running in the first place, most likely through a phishing email attack. This essentially makes it no worse than any other run-of-the-mill malware delivered this way.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That is a reasonable assumption
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Of course it goes without saying, one of the patches listed in the below link should be applied:

    https://www.bleepingcomputer.com/news/security/microsoft-printnightmare-security-updates-work-start-patching/

    Edit

    if you have the MS Known Issue Rollback (KIR) feature installed, you should see this registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\4\1861952651
     
    Last edited: Jul 18, 2021
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Another ........... PrintNightmare RCE vulnerability:
    https://www.bleepingcomputer.com/ne...ero-day-exploitable-via-remote-print-servers/
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Well, most the members here are not concerned and likely not being on a network or running a server or as myself just disable the service.

    But those that can be affected by this silly released POC bug ought to patch ASAP. That very term Nightmare conjures up another sparkling example of dissecting every file and services that is unable to self-correct the usual normal course of (in this case) the windows print spooler.

    Windows MS seems so infantile of a framework. They have had many years (and experts)of research and tons of hard cash with available tech resources to develop beyond what is still a work-in-progress. Not very 21st century at all.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Not to glorify the efforts of the malware players, but they seem smarter and more talented overall than ever before. Maybe of greater importance, unlike years ago, they are mostly motivated by huge profits (ransomware), so Microsoft even with all their high priced talent, are faced with far more challenges than they may have ever possibly bargained for.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Agreed! It's becoming evident that they seem to have more current information on windows then the one's who designed it. If it cost MS piles of dough as it has and does their clients it's a sure bet they wouldn't be so careless in providing all the easy open avenues for them in which they operate.
     
  19. guest

    guest Guest

    Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files
    Vulnerability Note VU#131152
    July 18, 2021 (Updated: July 19, 2021)

    https://kb.cert.org/vuls/id/131152
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's what I thought, so you already need to have malware running on the system.

    Why so? I still don't see how an attacker would be able to execute malware from remote on a home user PC. Can this be done via some browser exploit?

    https://www.tenable.com/blog/cve-20...h-for-printnightmare-vulnerability-in-windows
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Probably not likely but we are all too aware anymore how freaking clever picky digital minds can be. And with plenty of success already under their belts as it is.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Yes for sure. Just look at the astonishing number of zero day exploits have been revealed in Chrome in the past little while.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yeah it's a seemingly endless revolving door that will only continue. Classic cat and mouse chase to seal up one after the other affectable and infectable many open vectors.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, so it's probably much ado about nothing for home user PC's. That's what security experts should make more clear.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.