Public Windows PrintNightmare 0-day exploit allows domain takeover

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
Aug 17, 2014
13,214
126,313
8,399
Content source
https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/
Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that allows remote code execution.

Despite the need for authentication, the severity of the issue is critical as threat actors can use it to take over a Windows domain server to easily deploy malware across a company’s network.

The issue affects Windows Print Spooler and because of the long list of bugs impacting this component over the years [1, 2, 3, 4], the researchers named it PrintNightmare.

Several researchers have tested the leaked PoC exploit on fully patched Windows Server 2019 systems and were able to execute code as SYSTEM.
Click to expand...
Leaking the details for this vulnerability happened by accident, out of a confusion with another issue, CVE-2021-1675, also impacting Print Spooler that Microsoft patched in this month’s rollout of security updates.

Initially, Microsoft classified CVE-2021-1675 as a high-severity, privilege escalation issue but a couple of weeks later changed the rating to critical and the impact to remote code execution, without providing any details.
Click to expand...
On June 28, Chinese security vendor QiAnXin announced that they found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution, and published a demo video.

Click to expand...

Seeing the exploit video and believing it's the same issue, another team of researchers from Chinese security company Sangfor, decided to release their technical writeup and a demo exploit, calling the bug PrintNightmare.

However, it turns out that PrintNightmare is not the same as CVE-2021-1675, which received a patch on June 8, but a zero-day vulnerability in Windows Print Spooler in need of a fix.
Click to expand...
Will Dormann, a vulnerability analyst for CERT/CC confirmed that a remote, authenticated attacker can run code with elevated rights on a machine with the Print Spooler service enabled.

Dormann also confirmed that Microsoft’s June security updates have no effect against the PrintNightmare zero-day vulnerability detailed by the researchers from Sangfor.
Click to expand...
www.bleepingcomputer.com

Public Windows PrintNightmare 0-day exploit allows domain takeover

Technical details and proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that allows remote code execution.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • +Reputation
  • Like
Reactions: JB007, Terry Ganzi, plat and 14 others

CISA: Disable Windows Print Spooler on servers not used for printing​

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification regarding the critical PrintNightmare zero-day vulnerability and advises admins to disable the Windows Print Spooler service on servers not used for printing.

"CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print," the US federal agency said.

"Additionally, administrators should employ the following best practice from Microsoft's how-to guides, published January 11, 2021."

According to Microsoft's recommendations, the Print Spooler service should be disabled on all Domain Controllers and Active Directory admin systems via a Group Policy Object because of the increased exposure to attacks.

Microsoft adds that the service should be disabled on all servers that don't require it to mitigate future attacks due to these heightened risks of the printing service being targeted since it's enabled by default on most Windows clients and server platforms.

Until Microsoft addresses the PrintNightmare zero-day, disabling the Print Spooler service is the simplest way to ensure that threat actors—and ransomware groups in particular—won't jump at the occasion to breach corporate networks.
Click to expand...
www.bleepingcomputer.com

CISA: Disable Windows Print Spooler on servers not used for printing

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification regarding the critical PrintNightmare zero-day vulnerability and advises admins to disable the Windows Print Spooler service on servers not used for printing.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Thanks
  • +Reputation
Reactions: JB007, plat, Andy Ful and 7 others

Actively exploited PrintNightmare zero-day gets unofficial patch​

Free micropatches addressing the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service are now available through the 0patch platform. [...]

Even though no security updates are available to address the PrintNightmare security flaw at the moment, Microsoft has shared mitigation measures to block attackers from compromising vulnerable systems and is working on a fix.

This is where the 0patch micropatching service comes in, with free micropatches for Windows Server versions 2019, 2016, 2012 (updated with June 2021 Updates) and 2008 R2 (with January 2020 Updates installed and no Extended Security Updates).
Click to expand...
Click to expand...

www.bleepingcomputer.com

Actively exploited PrintNightmare zero-day gets unofficial patch

Free micropatches addressing the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service are now available through the 0patch platform.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: JB007, Nevi, plat and 6 others
PrintNightmare - which is being tracked under CVE-2021-34527 - has now been awarded a Common Vulnerability Scoring System (CVSS) base rating of 8.8. It is important to note that the CVSS v3.0 specification documentation defines this as a "high" severity vulnerability but it is dangerously close to the "critical" range which starts from 9.0.

The base score can be a maximum of 10.0. Similarly, it currently has a temporal score of 8.2. The temporal score measures the current exploitability of a vulnerability based on a number of factors.

It is important to note that a similar vulnerability was fixed in June's Patch Tuesday update, but it had a CVSS base score of 7.8.

The base score is 8.8 because Microsoft has identified that the attack vector is at a network-level, requires low attack complexity and privileges, does not involve user interaction, and can result in a "total loss" of confidentiality, integrity, and availability of an organizations resources. Meanwhile, the temporal score is 8.2 because functional exploit code is readily available on the internet and works across all versions of Windows, detailed reports about it exist, and some official remediation methods have been suggested.

Talking about mitigation techniques, we already know that Microsoft suggested disabling the Windows Print Spooler service or at least inbound remote printing through Group Policy. It has now also recommended that membership and nested group membership of some entities is checked. The company suggests that the number of members should be kept as low as possible, and should ideally be zero where possible. That said, it has cautioned that removing members from some of these groups may lead to compatibility issues. The groups in question are as follows:
  • Administrators
  • Domain Controllers
  • Read Only Domain Controllers
  • Enterprise Read Only Domain Controllers
  • Certificate Admins
  • Schema Admins
  • Enterprise Admins
  • Group Policy Admins
  • Power Users
  • System Operators
  • Print Operators
  • Backup Operators
  • RAS Servers
  • Pre-Windows 2000 Compatible Access
  • Network Configuration Operators Group Object
  • Cryptographic Operators Group Object
  • Local account and member of Administrators group
Microsoft has emphasized that a fix will be made available as soon as possible, but in the meantime, it has recommended that organizations make use of tooling like Microsoft Defender 365 to monitor potentially malicious activity. Although Print and Point is not directly related to this exploit, the Redmond tech giant has still suggested editing some registry values in order to harden your organization's local security infrastructure, and stated that print servers utilized by clients should be explicitly listed.
Click to expand...

www.neowin.net

Microsoft provides further mitigations for PrintNightmare exploit, awards it "high" severity

Microsoft has offered some further mitigations against the highly dangerous PrintNightmare exploit. The company has also given it a CVSS rating of 8.8/10, which almost awards it "critical" severity.
www.neowin.net www.neowin.net
 
  • Like
Reactions: JB007, Nevi, silversurfer and 6 others
It seems that PrintNightmare can be used locally on Windows 10 Home machines as UAC bypass to get system privileges (even with current Microsoft patches). This cannot be probably prevented by disabling inbound remote printing (via GPO).
I tried a POC made in PowerShell - it is prevented by PowerShell Constrained Language mode. For some reason, the POC did not work on my machine even without this restriction (AddPrinterDriverEx failed).

Edit.
On Home machines, the Point and Print technology will prevent the exploit to work silently. By default, the warning and elevation prompts are shown for printer installs and updates. In Enterprises the Point and Print can be disabled via GPO, so Administrators have to set it to Not configured or Enabled to mitigate the exploit. This will set the data 0 for values NoWarningNoElevationOnInstall and UpdatePromptSettings. When this policy is set to Disabled then data 1 is set for NoWarningNoElevationOnInstall and UpdatePromptSettings and the exploit can silently work.
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: JB007, Nevi, Venustus and 5 others
Andy Ful said:
It seems that PrintNightmare can be used locally on Windows 10 Home machines as UAC bypass to get system privileges (even with current Microsoft patches). This cannot be prevented by disabling inbound remote printing (via GPO).
I tried a POC made in PowerShell - it is prevented by PowerShell Constrained Language mode. For some reason, the POC did not work on my machine even without this restriction (AddPrinterDriverEx failed).
Click to expand...
Let's leave PowerShell Constrained Language mode aside.
Would the POC work under a restricted account?

When i try to run PowerShell, it gets blocked. CMD, on the other hand, can be opened. Guess that's because Hard_Configurator Enhanced profile?
 
  • Like
  • Applause
Reactions: JB007, Nevi, Venustus and 2 others
SecurityNightmares said:
Let's leave PowerShell Constrained Language mode aside.
Would the POC work under a restricted account?
Click to expand...

If you mean SUA then probably yes, because the Spooler service is already running. You would have to disable this service, then starting it would require Admin rights.

SecurityNightmares said:
When i try to run PowerShell, it gets blocked. CMD, on the other hand, can be opened. Guess that's because Hard_Configurator Enhanced profile?
Click to expand...
Yes. But, this exploit requires initial malware on Windows 10 Home machine. It could be hardly used on the machine with H_C settings.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: JB007, mkoundo, Nevi and 6 others
Microsoft has released the KB5004945 emergency security update to address the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service impacting all Windows versions. However, the patch is incomplete and the vulnerability can still be locally exploited to gain SYSTEM privileges.

The remote code execution bug (tracked as CVE-2021-34527) allows attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges, as it will enable them to install programs, view, change, or delete data, and create new accounts with full user rights.

Detailed instructions on how to install these out-of-band security updates for your operating system, are available in the support documents linked below:

Security updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.

"Release notes associated with these updates might publish with a delay of up to an hour after the updates are available for download," Microsoft said.

"Updates for the remaining affected supported versions of Windows will be released in the coming days."
Click to expand...
The PrintNightmare vulnerability includes both a remote code execution (RCE) and a local privilege escalation (LPE) vector that can be used in attacks to run commands with SYSTEM privileges on a vulnerable system.

After Microsoft released the out-of-band update, security researcher Matthew Hickey verified that the patch only fixes the RCE and not the LPE component. This means that the fix is incomplete and threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.
Click to expand...
Microsoft urges customers to install these out-of-band security updates immediately to address the PrintNightmare vulnerability.

Those who cannot install these updates as soon as possible should check out the FAQ and Workaround sections in the CVE-2021-34527 security advisory for info on how to protect their systems from attacks exploiting this vulnerability.

The available mitigation options include disabling the Print Spooler service to remove printing capability locally and remotely or disabling inbound remote printing through Group Policy to remove remote attack vector by blocking inbound remote printing operations.

In the second case, Microsoft says that "the system will no longer function as a print server, but local printing to a directly attached device will still be possible."

CISA has also published a notification on the PrintNightmare zero-day last week encouraging admins to disable the Windows Print Spooler service on servers not used for printing.
Click to expand...
www.bleepingcomputer.com

Microsoft pushes emergency update for Windows PrintNightmare zero-day

Microsoft has released the KB5004945 emergency security update to fix the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service impacting all Windows versions. However, the patch is incomplete and the vulnerability can still be locally exploited to gain...
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Thanks
  • +Reputation
Reactions: JB007, CyberTech, Andy Ful and 12 others
I think this is not so important for people using closed ports as all the incoming which are not originated from the user network is blocked by router firewall. Most will fall into the category of closed port systems and in case of open port systems the guy must be knowing what he is doing. From what I understand, to exploit this vulnerability, there should be an existing malware in the system to originate the traffic from the system to the attacker's system, so if your system is already compromised, then you should be worrying about the security software you are using and the manner you are using your system rather worrying about the print spooler exploit.
 
Last edited:
  • Like
Reactions: JB007, Gandalf_The_Grey, Venustus and 4 others
KB5004945 installed. Pretty slow update, but now the real pain waits with updating the VM.

Nervous Ted Striker GIF by filmeditor
 
  • HaHa
  • Like
Reactions: JB007, brambedkar59, The_King and 13 others

Microsoft's incomplete PrintNightmare patch fails to fix vulnerability​

Researchers have bypassed Microsoft's emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.

Last night, Microsoft released an out-of-band security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident last month.

After the update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability.

However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems for older Windows versions, and for newer versions if the Point and Print policy was enabled.
Click to expand...
www.bleepingcomputer.com

Microsoft's incomplete PrintNightmare patch fails to fix vulnerability

Researchers have bypassed Microsoft's emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Wow
  • Like
  • +Reputation
Reactions: JB007, upnorth, Nevi and 10 others
Last edited:
  • Like
  • Wow
  • +Reputation
Reactions: JB007, ForgottenSeer 85179, Venustus and 5 others
SeriousHoax said:
How serious is this for an average home user? I'm on Windows 11 Dev at the moment and can't found any info on whether Windows 11 Dev will also receive an update or not.
Click to expand...
Got it. It's fixed in the latest build released yesterday/today (depends on where you live).
We fixed a remote code execution exploit in the Windows Print Spooler service, known as “PrintNightmare”, as documented in CVE-2021-34527. For more information, see KB5004945.
Click to expand...
blogs.windows.com

Announcing Windows 11 Insider Preview Build 22000.65

Hello Windows Insiders, We are so excited to have so many of you running the first preview of Windows 11 and we’re busy looking at all your feedback that’s coming in. Today we are releasing an update (Build 22000.65) to everyone in the Dev Chann
blogs.windows.com blogs.windows.com
 
  • Like
Reactions: JB007, Venustus, show-Zi and 4 others
You must log in or register to reply here.

You may also like...