Windows Print Nightmare Vulnerability, Attack Methods and Patches, How to Avoid It

Microsoft has begun releasing an emergency security update that addresses a remote code execution vulnerability known to exist in the Windows Printing feature that could allow an attacker to take complete control of a vulnerable system.
ⓒ Microsoft

Called PrintNightmare (CVE-2021-34527), the vulnerability resides in the Windows Print Spooler service, where a publicly available exploit that can be exploited in this service is being reinforced. Businesses are encouraged to apply the patch as soon as possible, or turn off inbound remote printing until a patch is available.


Disclosure of new vulnerabilities to the public first due to vulnerability confusion

Microsoft’s June monthly update includes a patch for another Windows Print Spooler service vulnerability that can be traced to CVE-2021-1675. And it was initially described as a Local Privilege Escalation (LPE) issue. Tencent Security’s Jipeng Huo, Afine’s Piotr Madez and Nsfocus’s Youn Hai Zhang discovered the vulnerability.

On June 29, two other security researchers, Jinian Peng and Hu Peng Li of Sangfor, released an analysis report on CVE-2021-1675. This report proves that exploiting this vulnerability can achieve Remote Code Execution (RCE) beyond simple privilege escalation.

The researchers also published their findings as part of a larger security analysis of Windows printing functionality, saying they discovered the vulnerability before reporting it to Microsoft. The two researchers plan to present their findings with additional vulnerabilities at the upcoming Black Hat USA ‘Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer’ conference. to be.

What the Sangpo researchers didn’t know when they published their CVE-2021-1675 RCE analysis results under the name of Print Nightmare was that they actually described very similar but ultimately different vulnerabilities. This is a vulnerability that Microsoft’s June patch does not protect.

Microsoft reviewed these reports, corrected CVE-2021-1675 to be an RCE vulnerability rather than an LPE, and created a security advisory for the new PrintNightmare vulnerability assigned the ID CVE-2021-34527.


Print Nightmare Exploit and Attack Vectors

Jinian Peng and Hu Peng Li recognized this problem and eliminated the proof-of-concept exploit, but it was already too late, and other researchers began to analyze and expand on it. This has led to the implementation of at least three proof-of-concept exploits for this vulnerability, some with additional attack vectors.

The first exploits used the Print System Remote Protocol (MS-RPRN). As a result, the exploit was limited to Windows servers configured as domain controllers or Windows 10 devices with non-default settings such as User Account Control (UAC) disabled or NoWarningNoElevationOnInstall enabled.

Another researcher online later called Cube0x0 found another way to exploit the exploit via the Print System Asynchronous Remote Protocol (MS-PAR). According to Mimikatz developer Benjamin Delpy, this approach allows the PrintNightmare exploit to be exploited on more Windows devices with default configurations, not just domain controllers. Delphi implemented this functionality in Mimikatsu, an open source tool popular with both intrusion testers and malicious attackers.

With so much information and exploit methods publicly available, security researchers point out that it is only a matter of time before these exploits become widely available. It may already be like this. The Microsoft security advisory warns that all Windows editions are affected and that they have detected an exploit for this vulnerability.


Printed Nightmare Patches and How to Avoid It

Microsoft released an emergency patch on Tuesday for many of the Windows versions in question, although Windows 10 1607, Windows Server 2012 and Windows Server 2016 were missing. Researchers at 0patch.com, who have developed a micropatch that can be applied directly to memory processes, have distributed a free patch that also works for missing versions of Windows and protects against all known attack vectors to date.

According to a security advisory from the CERT Coordination Center, the updates provided by Microsoft only contain exploits related to remote code execution, not LPE. This is why CERT/CC analysts recommend applying the following manual solutions suggested by Microsoft.

– Solution 1. Disable the Print Spooler service
If your company can properly disable the printer spooler service, use the following PowerShell command:

  • Stop-Service -Name Spooler -Force
  • Set-Service -Name Spooler -StartupType Disabled

Disabling the print spooler service disables local and remote printing features.

– Solution 2. Disable Inbound Remote Printing via Group Policy
You can configure the setting to disable inbound remote printing through group policy as follows:

  • Computer Configuration/ Administrative Templates/ Printers
  • Disable the ‘Allow Print Spooler to accept client connections:’ policy to block remote attacks
  • Restart the print spooler service for group policy to take effect

This policy blocks inbound remote printing operations, blocking remote attack vectors. The system no longer functions as a print server. However, local printing to directly connect the device is still available. [email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!