PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

Discussion in 'other security issues & news' started by mood, Jun 30, 2021.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,213
    PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug
    June 29, 2021
    https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,549
    Location:
    Outer space
    Thanks, have I disabled the Print Spooler service.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,994
    Location:
    Among the gum trees
    #1
     
  4. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    500
  5. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    69,256
    Location:
    U.S.A.
    Print Nightmare is going to be a nightmare by Susan Bradley, AskWoody Lounge​
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,549
    Location:
    Outer space
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,213
    PrintNightmare, Critical Windows Print Spooler Vulnerability
    June 30, 2021
    https://us-cert.cisa.gov/ncas/curre...-critical-windows-print-spooler-vulnerability
    CERT Coordination Center (CERT/CC): Microsoft Windows Print Spooler RpcAddPrinterDriverEx() function allows for RCE
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,213
    Microsoft adds second CVE for PrintNightmare remote code execution
    While PrintNightmare has been known as CVE-2021-1675 this week, Microsoft has now thrown CVE-2021-34527 into the mix
    July 2, 2021

    https://www.zdnet.com/article/microsoft-adds-second-cve-for-printnightmare-remote-code-execution/
     
  9. sightunseen

    sightunseen Registered Member

    Joined:
    Mar 21, 2014
    Posts:
    4
    Location:
    United States
    So how are you guys mitigating this issue, by shutting off the spooler? I followed the truesec guidance to limit spooler to the local machine.
     
  10. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,050
    Yes, disable it completely.
     
  11. sightunseen

    sightunseen Registered Member

    Joined:
    Mar 21, 2014
    Posts:
    4
    Location:
    United States
    If I do that though I'm pretty sure I can't print, even on a local machine. TrueSec has separate guidance to limit the ACL to deny SYSTEM so I've done that as well. Also I suggest the reddit thread for anyone interested in learning more about this problem.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    You do realize it's not a major issue on home user PC's?
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    It is if you haven't applied June, 2021 cumulative update plus possibly scenerios noted below:
    https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    Last edited by a moderator: Jul 3, 2021
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,549
    Location:
    Outer space
    I hadn´t read the details yet. Plus, I rarely print, so it's not inconvenient for me to have it disabled.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,549
    Location:
    Outer space
    https://twitter.com/gentilkiwi/status/1411792763478233091
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    More detail:
    https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html
     
  18. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,577
    Taken from the truesec article mentioned above:
    Disabling the Print Spooler service on clients will impact the clients’ general ability to print to any printer.
    I need my printer, and I need it often. Consequently, disabling this service is out of the question here.

    An alternative workaround to disabling the service is to configure it to not accept client connections. This will effectively limit the access to the local machine preventing the remote exploitation of PrintNightmare.
    This is what I have done. This effective workaround still makes it possible to use your local printers.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    This works great if you're running Win 10 Pro+ version which have Group Policy feature. I have searched extensively for a way to do so on Home versions via registry modification. Haven't found anything.

    I am presently monitoring write activity to C:\Windows\System32\spool\drivers directory and sub-directories with an Eset HIPS rule. I know this will eventually cause issues since Windows Update will update drivers there; e.g. fax drivers.
     
  20. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    120,615
    Location:
    Texas
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,707
    Location:
    U.S.A. (South)
  23. catspyjamas

    catspyjamas Registered Member

    Joined:
    Jul 1, 2011
    Posts:
    157
    Location:
    New Zealand
    Thanks itman. I had re-enabled automatic start up of the print spooler yesterday after that patch. Back to stopped and disabled it goes. Thankfully I rarely print anything; very aggravating for those who do though. Let's hope a third attempt by MS at patching will fix this once and for all.
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,560
    Location:
    USA
    This is sad. I have disabled the print spooler service on our servers and will leave it that way permanently as nobody needs to be printing from the servers. The workstations, I do not have this option. People print on a daily basis.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    Per the above bleepingcomputer.com article, it is important to note that previous folder ACL recommended mitigations will not work against this exploit:
    However, monitoring write activity in C:\Windows\System32\spool\drivers directory/sub-directries with a HIPS rule will given the negative side effects noted here: https://www.wilderssecurity.com/thr...ndows-printnightmare-bug.438729/#post-3017695
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.