What you need to know
- A remote print server created by a researcher allows people to exploit the PrintNightmare vulnerability on Windows 10.
- If utilized, it allows people with limited privileges to effectively gain administrative privileges on a PC.
- An attacker could use the vulnerability to disable Windows Defender.
The Windows print spooler vulnerability continues to be exploited by researchers. Security researcher Benjampin Delpy found several ways to bypass and take advantage of the vulnerability known as PrintNightmare. Delpy recently shared a video showing that an exploit allows people to effectively gain administrative privileges on a PC.
Microsoft issued a critical security patch for the PrintNightmare vulnerability, but researchers have found ways around it. Delpy's workaround involves a print server that can install a print driver. This driver can then launch a Dynamic Link Library (DLL) file with SYSTEM privileges.
BleepingComputer installed the print driver in question and saw the same results as Delpy. Despite the test computer being a fully patched PC running the latest version of Windows 10, a user with standard privileges was able to disable Windows Defender and gain full SYSTEM privileges.
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)
connect to \\https://t.co/6Pk2UnOXaG with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' pic.twitter.com/zHX3aq9PpMWant to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)
connect to \\https://t.co/6Pk2UnOXaG with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' pic.twitter.com/zHX3aq9PpM— 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021July 17, 2021
Delpy's method lets anyone who installs the remote print driver gain administrative privileges on a PC. This access could be used in several ways, including creating new users, installing software, or deploying ransomware on a PC.
Delpy told BleepingComputer that he's trying to pressure Microsoft to release fixes for the vulnerability.
A CERT advisory from Will Dormann outlines multiple mitigations for the vulnerability:
- Stop and disable the Print Spooler service.
- Disable inbound remote printing through Group Policy.
- Block RPC and SMB ports at the firewall.
- Enable security prompts for Point and Print.
- Restrict printer driver installation ability to administrators.
The advisory breaks down each option in more technical detail. We also have a guide on how to mitigate the PrintNightmare vulnerability that we update as more information comes in.
