PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

Discussion in 'other security issues & news' started by mood, Jun 30, 2021.

  1. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,564
    Location:
    USA
    After some research because it is necessary at this point, it looks like according to these vendors:
    Kaspersky claims to block this. https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/
    Trend Micro claims to add some protection. https://success.trendmicro.com/solution/000286888
    ESET recommends following the Microsoft recommendations. https://support.eset.com/en/alert8081-protection-against-printnightmare-remote-code-exploit#protect
    Unfortunately I don't have time to look into all others. This is the info I found as of right now. My apologies if this goes out of date, which will happen at some point.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,564
    Location:
    USA
    Was why I used the words "claims to". There are no guarantees of anything at this point.
    I am opting to go with the "Disable the setting to "Allow Print Spooler to accept client connections"" in Group Policy as it allows local printing and should at least reduce the chances of an issue.
     
  4. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,577
    This is what I did, but there is no Group Policy if you're using Win10 Home.
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,564
    Location:
    USA
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,577
    Good new if this workaround actually works as intended.:thumb:
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    Here's the issue with spoolsv.exe and everyone seems to be avoiding it.

    It is not a CIG protected process. If it was, only Microsoft code signed .dlls could be loaded into it. Further, C:\Windows\System32\spool\* only requires admin privileges to modify. So one of the UAC bypasses should do the trick to allow modification activities. Note: Don't make spoolsv.exe a CIG process since odds are your printer's .dll is not MS code signed.

    All this means all an attacker has to do is replace your existing printer driver .dll with a malicious one and he's "off and running" with his hack activities.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    Well, so much for the CIG protection ideal for spoolsv.exe.

    Did so and rebooted PC. Immediately open spoolsv.exe in PE. Expanded dlls loaded and my HP printer driver .dlls not loaded. Ahh.... CGI protection option works. Not! I immediately observed the HP printer driver .dlls being loaded although neither were MS code signed; or signed at all.

    This yields the conclusion that CGI protection might work for Win 10 developed .exe's, but not for processes vintage Win 95 era as @Krusty noted.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    This article: https://www.kb.cert.org/vuls/id/383432 is the best I have found to determine if your still exploitable after applying the recent MS patch. Of note is the use of flowchart check steps.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    0Patch says Windows 7 is not affected... according to their tests. While acknowledging that Microsoft has said Win 7 SP1 is affected, 0Patch blogger Mitja Kolsek stated on July 8, 2021, "We were so far unable to reproduce the problem on Windows 7. Microsoft may know something we don't." Bet he said that with a smile.

    Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    If the printer is attached to the device via a USB cable, the answer is no - it can't be exploited. -Correction- you can be exploited locally:
    https://github.com/calebstewart/CVE-2021-1675

    However if one is using a shared wireless printer connected to the local home network, it can be exploited:
    https://www.bleepingcomputer.com/ne...ntnightmare-patch-fails-to-fix-vulnerability/
     
    Last edited: Jul 11, 2021
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,238
    CISA orders federal agencies to patch Windows PrintNightmare bug
    July 13, 2021
    https://www.bleepingcomputer.com/ne...agencies-to-patch-windows-printnightmare-bug/
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,549
    Location:
    Outer space
    Lets see if Patch Tuesday patches really do fix PrintNightmare this time..
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    It's not over folks .............
    https://www.bleepingcomputer.com/ne...are-continues-with-malicious-driver-packages/
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,238
    Microsoft Defender for Identity now detects PrintNightmare attacks
    July 16, 2021
    https://www.bleepingcomputer.com/ne...-identity-now-detects-printnightmare-attacks/
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,709
    Location:
    U.S.A. (South)
    What about Windows 8.1? I have had to disable it on several units running 8.

    I do keep Windows Defender up to date on them. I wonder if they will update for this too.
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    Does "eploited locally" mean physical access to the computer is required?
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    No.

    One of the test exploits at Github used a classic PowerShell Empire attack whereby a Powershell script was run on the local device that remotely connected to a server. The server downloaded another PowerShell script to the local device and ran the script remotely to perform the PrintNightmare exploiting. Note: this remote connection script has since been removed from Github.

    Ref.: https://www.wilderssecurity.com/thr...printnightmare-bug.438729/page-2#post-3018389

    BTW - a good example why PowerShell outbound connections need to be monitored in a firewall. Also, PowerShell Constrained Language mode stopped the import-module code in the downloaded script from running resulting in the simulated exploit attack failing.
     
    Last edited: Jul 16, 2021
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,709
    Location:
    U.S.A. (South)
    Microsoft oversight? Or just another of their infamous ways of adding to the user's risk and possible misery on their platforms.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,397
    Location:
    U.S.A.
    My best guess is Eset bitched about it since I posted in their forum it bypassed their IDS exploit detection for it.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,709
    Location:
    U.S.A. (South)
    Really. PowerShell is a wide open playland to run all sorts of system responsive commands and it obeys.

    Ever run commands on it in a test fashion on your local unit? I have. And am amazed at it's potential to perform nearly anything one might decide to make changes in any number of various methods etc. Give it remote access and it's all bets off. No wonder its such a prized piece not only for Service Administrators, but takeover artists who can issue a series of commands and well, we see how that is panning out.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,308
    Location:
    Canada
    Default-deny will only allow what's whitelisted by the user and block everything else.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    I'm sorry but this doesn't answer my question. Can this be exploited via the browser, simply by visiting a website? If not, then I don't see how this is a threat to home user PC's.
     
  25. jks52

    jks52 Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    So, if I have powershell and cmd locked down on my home computer with NVT OSArmor, does that mean I'm protected from the PrintNightmare attack since I don't know how anyone could access my home network?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.