PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

wat0114 · Jul 29, 2021

Rasheed187 said: ↑

Yes, so it's probably much ado about nothing for home user PC's. That's what security experts should make more clear.
Click to expand...

They almost never do, though.

guest · Jul 31, 2021

Public print server gives anyone Windows admin privileges
July 31, 2021
https://www.bleepingcomputer.com/ne...server-gives-anyone-windows-admin-privileges/

A researcher has created a remote print server allowing any Windows user with limited privileges to gain complete control over a computer by installing a print driver.
Now anyone can get Windows SYSTEM privileges
Security researcher and Mimikatz creator Benjamin Delpy has been at the forefront of continuing PrintNightmare research, releasing multiple bypasses and updates to exploits through specially crafted printer drivers and by abusing Windows APIs.

To illustrate his research, Delpy created an Internet-accessible print server at \\printnightmare[.]gentilkiwi[.]com that installs a print driver and launches a DLL with SYSTEM privileges.
Click to expand...

As some people did not believe his initial print driver could elevate privileges, on Tuesday, Delpy modified the driver to launch a SYSTEM command prompt instead.

BleepingComputer installed Delpy's print driver on a fully patched Windows 10 21H1 PC as a user with 'Standard' (limited) privileges to test this technique.
As you can see, once we installed the printer and disabled Windows Defender, which detects the malicious printer, a command prompt was opened that gave us full SYSTEM privileges on the computer.
Click to expand...

Delpy has warned that this is not the end of Windows print spooler abuse, especially with new research being revealed this week at both the Black Hat and Def Con security conferences.
Click to expand...

EASTER · Jul 31, 2021

Print with LINUX- That takes care of that.

guest · Aug 5, 2021

New Windows PrintNightmare zero-days get free unofficial patch
August 5, 2021
https://www.bleepingcomputer.com/ne...ightmare-zero-days-get-free-unofficial-patch/

A free unofficial patch has been released to protect Windows users from all new PrintNightmare zero-day vulnerabilities discovered since June.

Technical details and a proof-of-concept (PoC) exploit for a new Windows print spooler vulnerability named 'PrintNightmare' (CVE-2021-34527) was accidentally disclosed in June.
Click to expand...

Mitigations for the zero-day PrintNightmare vulnerabilities are already available through the 'PackagePointAndPrintServerList' group policy, which allows you to specify a white list of approved print servers that can be used to install a print driver.

However, for those who want to install a patch and not try to understand advisories and fiddle with group policies, Mitja Kolsek, co-founder of the 0patch micropatching service, has released a free micropatch that can be used to fix all known PrintNightmare vulnerabilities.

"We therefore decided to implement the group policy-based workaround as a micropatch, blocking Point and Print printer driver installation from untrusted servers. This workaround employs Group Policy settings: the "Only use Package Point and Print" first requires every printer driver is in form of a signed package, while the "Package Point and print - Approved servers" limits the set of servers from which printer driver packages are allowed to be installed." Kolsek explains in a blog post.
Click to expand...

guest · Aug 11, 2021

Microsoft fixes Windows Print Spooler PrintNightmare vulnerability
August 10, 2021
https://www.bleepingcomputer.com/ne...s-print-spooler-printnightmare-vulnerability/

Microsoft has fixed the PrintNightmare vulnerability in the Windows Print Spooler by requiring users to have administrative privileges when using the Point and Print feature to install printer drivers.
Point and Print now requires administrative privileges
As part of today's August 2021 Patch Tuesday security updates, Windows now requires a user to have administrative privileges to install a printer driver via the Point and Print feature.

"Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks," announced Microsoft in a new advisory.
"Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service."
Click to expand...

"This change will take effect with the installation of the security updates released on August 10, 2021 for all versions of Windows, and is documented as CVE-2021-34481."

For organizations that require non-elevated users to install printer drivers, Microsoft has released an advisory with instructions on disabling this fix.
Click to expand...

Microsoft finally fixes PrintNightmare vulnerability with KB5005031 and KB5005033 updates
August 11, 2021
https://betanews.com/2021/08/11/microsoft-finally-fixes-printnightmare-vulnerability/

To help address the ongoing problems with the so-called PrintNightmare vulnerability (CVE-2021-34527), Microsoft has announced a change to the default behavior of the Point and Print feature in Windows.

The change has been delivered via the KB5005033 and KB5005031 update and means that in order to install printer drivers, users will have to have administrative privileges. This mitigates against the Windows Print Spooler vulnerability that allowed any user to install drivers via Point and Print, a fact that could be exploited to install a malicious drivers to allow for remote code execution and SYSTEM privileges.
Click to expand...

The fix comes as part of this month's Patch Tuesday updates, and the company also published a post on the Microsoft Security Response Center blog [...] The post continues: [...]

KB5005031 is available for Windows 10 version 1909, while KB5005033 is available for Windows 10 versions 2004, 20H2 and 21H1.
Click to expand...

guest · Aug 11, 2021

Microsoft confirms another Windows print spooler zero-day bug
August 11, 2021
https://www.bleepingcomputer.com/ne...s-another-windows-print-spooler-zero-day-bug/

Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that allows local attackers to gain SYSTEM privileges on a computer.

While Microsoft's recent security updates changed the new printer driver installation procedure so that it requires admin privileges, you will not be required to enter admin privileges to connect to a printer when that driver is already installed.
Click to expand...

This vulnerability uses the CopyFile registry directive to copy a DLL file that opens a command prompt to the client along with a print driver when you connect to a printer.
Furthermore, if the driver exists on a client, and thus does not need to be installed, connecting to a remote printer will still execute the CopyFile directive for non-admin users. This weakness allows Delpy's DLL to be copied to the client and executed to open a SYSTEM-level command prompt.
Microsoft releases advisory on CVE-2021-36958
Today, Microsoft issued an advisory on a new Windows Print Spooler vulnerability tracked as CVE-2021-36958.

"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations," reads the CVE-2021-36958 advisory.
"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Click to expand...

Will Dormann, a vulnerability analyst for CERT/CC, told BleepingComputer that Microsoft confirmed the CVE-2021-36958 corresponds to the PoC exploit shared by Delpy on Twitter and described above.

Strangely, Microsoft has classified this as a remote code execution vulnerability, even though the attack needs to be performed locally on a computer.
When BleepingComputer asked Dormann to clarify if this was incorrect labeling, we were told "it's clearly local (LPE)" based on the CVSS:3.0 7.3 / 6.8 score.
Click to expand...

guest · Aug 12, 2021

Ransomware gang uses PrintNightmare to breach Windows servers
August 12, 2021
https://www.bleepingcomputer.com/ne...ses-printnightmare-to-breach-windows-servers/

Ransomware operators have added PrintNightmare exploits to their arsenal and are targeting Windows servers to deploy Magniber ransomware payloads.
Ransomware now using PrintNightmare exploits
And, as Crowdstrike researchers discovered last month, the Magniber ransomware gang is now using PrintNightmare exploits for these exact purposes in attacks against South Korean victims.

"On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability, protecting customers before any encryption takes place," said Liviu Arsene, Crowdstrike's Director of Threat Research and Reporting.
After compromising servers unpatched against PrintNightmare, Magniber drops an obfuscated DLL loader, which gets first injected into a process and later unpacked to perform local file traversal and encrypt files on the compromised device.
Click to expand...

More threat groups expected to add PrintNightmare to their arsenals
Even though we only have evidence that only the Magniber gang is using PrintNightmware exploits in the wild, other attackers will likely join in, given that multiple proof-of-concept exploits have been released since the vulnerability was reported.

"CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors," Arsene concluded.
Click to expand...

guest · Aug 12, 2021

Vice Society Leverages PrintNightmare In Ransomware Attacks
August 12, 2021
https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html

Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society.

Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward.
Click to expand...

Vice Society is a relatively new player in the ransomware space. They emerged in mid-2021 and have been observed launching big-game hunting and double-extortion attacks, primarily targeting small or midsize victims.

As with other threat actors operating in the big-game hunting space, Vice Society operates a data leak site, which they use to publish data exfiltrated from victims who do not choose to pay their extortion demands. Below is an example screenshot of this site.
Click to expand...

guest · Aug 13, 2021

Windows 10 PrintNightmare has been handled irresponsibly by Microsoft, says security expert
August 13, 2021
https://www.windowscentral.com/windows-10-printnightmare-handled-irresponsibly-microsoft

Microsoft has had to battle a set of PrintNightmare vulnerabilities for months. If exploited, people can run programs with SYSTEM privileges, causing security issues.

While Microsoft has issued patches and shared fixes, problems persist. I spoke with Benjamin Delpy, head of Research & Development Security Center at Banque de France, about the PrintNightmare vulnerabilities. Delpy has been on the forefront of discovering PrintNightmare vulnerabilities since they emerged and is often cited as the discoverer of issues related to Windows Print Spooler.
Click to expand...

Before we dive into the ins and outs of PrintNightmare vulnerabilities, it's worth explaining what they are. There isn't a single PrintNightmare vulnerability. Instead, it's a "generic category of flaws in the Printing Spooler," Delpy says. "Basically, we use the term PrintNightmare now to describe vulnerability in the Windows Printing Spooler involving the installation of a driver and/or a printer."

Delpy explains that while Microsoft has worked to address the issue, that its efforts don't eliminate the source of vulnerabilities [...]
Click to expand...

Sampei Nihira · Aug 16, 2021

Service stopped and disabled.

lucd · Sep 10, 2021

as an alternative to disabling the service open with registry editor (txt file saved with reg extension):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers]
"RegisterSpoolerRemoteRpcEndPoint"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"NoWarningNoElevationOnInstall "=dword:00000000
"UpdatePromptSettings"=dword:00000000
"RestrictDriverInstallationToAdministrators"=dword:00000001
"RegisterSpoolerRemoteRpcEndPoint"=dword:00000002

EASTER · Sep 10, 2021

Sampei Nihira said: ↑

Service stopped and disabled.
Click to expand...

Same. I just shut the thing down until they learn to build a secure one. If there is even such a thing possible.

wat0114 · Sep 10, 2021

Is there anything to worry about if you don't allow malicious printer drivers to run in the first place?

guest · Sep 15, 2021

Microsoft fixes remaining Windows PrintNightmare vulnerabilities
September 14, 2021
https://www.bleepingcomputer.com/ne...ining-windows-printnightmare-vulnerabilities/

Microsoft has released a security update to fix the last remaining PrintNightmare zero-day vulnerabilities that allowed attackers to gain administrative privileges on Windows devices quickly.
New security update fixes PrintNightmare bug
In today's September 2021 Patch Tuesday security updates, Microsoft has released a new security update for CVE-2021-36958 that fixes the remaining PrintNightmare vulnerability.

Delpy, who tested his exploit against the new security update, confirmed to BleepingComputer that the bug is now fixed.

#printnightmare patch tuesday looks like promising pic.twitter.com/OjwCL79Io9
— Benjamin Delpy (@gentilkiwi) September 14, 2021
Click to expand...

lucd · Sep 16, 2021

wonderful but this update won't install on like 99% on pcs no matter what,
installing the cab from DISM command sometimes works

guest · Sep 18, 2021

Microsoft's PrintNightmare patch breaks printing for some... again
September 18, 2021
https://www.neowin.net/news/microsofts-printnightmare-patch-breaks-printing-for-some-again/

It appears that this has happened once again, as confirmed by Microsoft in a new advisory.

A recent Microsoft advisory spotted by WinFuture (via MSPoweruser) notes that August's Patch Tuesday update containing KB5005033 is where the issue originates from. Systems with this update or later installed may have issues with printing, which include:

After installing KB5005033 or a later update, certain printers in some environments using Point and Print might receive a prompt saying, "Do you trust this printer" and requiring administrator credentials to install every time an app attempts to print to a print server or a print client connects to a print server. This is caused by a print driver on the print client and the print server using the same filename, but the server has a newer version of the file. When the print client connects to the print server, it finds a newer driver file and is prompted to update the drivers on the print client, but the file in the package it is offered for installation does not include the later file version.
Click to expand...

Given that administrative credentials are required each time during printing, this effectively breaks the corporate printing process as you can't expect an employee to get direct access to these credentials.

The resolution suggested by Microsoft is to ensure that the latest drivers are installed and that this version is the same both on client- and server-side.
You can view more details about the issue in the FAQs here, but one thing is certain: The (Print)nightmare continues.
Click to expand...

EASTER · Sep 18, 2021

They need to stop the lame integrating/INCLUDING and LAZY fix routine and simply release A single fix for ALL Micro O/S units.

Or better yet. do some real tooth & nails WORK and recode the entire printing feature and THEN release that. They have consistently created features where infiltrator's skills has surpassed their own. An unfortunate distinction that is come home to roost on their O/S and worse yet their customers/users who rely on it.

lucd · Sep 21, 2021

In the meantime : https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7

lucd · Apr 21, 2022

lucd said: ↑

wonderful but this update won't install on like 99% on pcs no matter what,
installing the cab from DISM command sometimes works
Click to expand...

I am wrong, I disabled WMI, never disable WMI for updates,

Log in or Sign up

PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

wat0114 Registered Member

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Sampei Nihira Registered Member

lucd Registered Member

EASTER Registered Member

wat0114 Registered Member

guest Guest

lucd Registered Member

guest Guest

EASTER Registered Member

lucd Registered Member

lucd Registered Member

Log in or Sign up

PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

wat0114 Registered Member

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Sampei Nihira Registered Member

lucd Registered Member

EASTER Registered Member

wat0114 Registered Member

guest Guest

lucd Registered Member

guest Guest

EASTER Registered Member

lucd Registered Member

lucd Registered Member

Useful Searches