PrintNightmare

I think this explains why my computer was rebooted last night.

A research team found another vulnerability in the Windows Print Spooler. They were going to show it off at the Black Hat security conference this month, but the made a big oops and accidentally published the proof of concept exploit. Despite deleting it, the PoC’s loose in the wild now. Microsoft rushed out the KB5004945 emergency security update fix for Windows 7 and newer. You’ll find it on Windows 10 under Quality Updates as 2021-07 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems, or other names relating to the OS, I presume.

This is tracked as CVE-2021-34527. Allows server takeover via remote code execution with SYSTEM privileges. Can install programs, view/change/delete data and create new accounts with full user rights.

However, Bleeping Computer is reporting that the Microsoft update only fixes the remote code execution. The local privilege escalation component will still provide SYSTEM privileges if the Point and Print policy is enabled. That seems to be already active on Windows 7, 8, 8.1, Server 2008 and 2012. It would have to be activated on newer versions. If the P&P policy is enabled, the patch can be bypassed.

Everyone should read the “Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability” for the rest of the details. One of the recommendations is that if you have a server that isn’t used for printing, disable the Print Spooler service until a complete patch is released.

There’s also a recommendation to not install Microsoft’s patch and instead install something by oPatch because Microsoft’s patch changes a DLL that causes oPatch’s actual fix for the problem to stop working.

I’m having a little bit of difficulty understanding how this works. It seems to be triggered by adding a print driver, so does that mean something shows up on a network, sends out a “Hey, Windows, I’m a device that can print” identification? Or does it happen when Windows does its usual sweep of the network to find devices it can auto-install for us?

Regardless of which one it is, where does Windows get the driver from that has the malicious code? Does it try to download the driver from the device it finds?

At work, we’re disabling the WSD and IPP protocols to stop Windows from auto-installing print drivers. There’s about ten different kinds of problems that causes. We can install our own print drivers, thank you very much.

From what little I understand about it, it’s not actually a driver issue, it’s an issue with Windows’ Print Spooler service. There are some configurations that allow machines to find printers attached to your machine on the same network (and potentially the internet, if your network is connected to those) and the bug in Print Spooler ends up allowing arbitrary code execution with SYSTEM privileges if someone takes advantage of it.

Edit: Here’s a little github writeup about how one can use this to inject a malicious driver into the system that can then do other work: GitHub - afwu/PrintNightmare

Palo Alto pushed out a block for it yesterday morning. If you run their stuff good too make sure you have the latest updates.

Of course that’s only blocking at the Firewall level and this sounds very ‘locally’ exploitable if a device gets on your network.

Okay, so it’s an auto-discovery process within the print spooler?

This is kind of reminding me of when Browser Helper Objects were introduced. “Here’s this great new feature that will make things easier. Oh. Um. Looks like we better reign these back in.”

Maybe WordPerfect was doing it right for including printer drivers for their software without havening to rely on the underlying OS for printering support?