The Dataprise Blog

PrintNightmare Analysis: Dataprise Defense Digest

Jul 01, 2021 BY DATAPRISE

PrintNightmare Analysis: Dataprise Defense Digest

UPDATE (JULY 7, 2021)

Microsoft released an out-of-band emergency patch (KB5004945) for the PrintNightmare vulnerability (CVE-2021-34527), however, researchers were able to achieve Remote Code Execution (RCE) and privilege escalation with the patch installed. Researchers, Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC discovered that Microsoft only patched the RCE part of the vulnerability leaving the privilege escalation vulnerability intact. Additional testing by other researchers revealed that the entire patch could be bypassed to continue exploiting the PrintNightmare exploits.

To bypass the PrintNightmare patch and achieve RCE and LPE, a Windows policy called 'Point and Print Restrictions' must be enabled, and the "When installing drivers for a new connection" setting configured as "Do not show warning on elevation prompt."

This policy is located under Computer Configuration > Administrative Templates > Printers Point and Print Restrictions. When enabled, the 'NoWarningNoElevationOnInstall' value will be set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key.

At this time the recommended mitigation for these vulnerabilities is to disable the Print Spooler service until a working patch is released.

Microsoft has issued the following statetement, "We’re aware of claims and are investigating, but at this time we are not aware of any bypasses."

 

EXECUTIVE SUMMARY

A serious Remote Code Execution (RCE) vulnerability has been identified in the Print Spooler service in Windows Operating Systems. Successful exploitation of this vulnerability can allow an authenticated attacker to execute code and gain SYSTEM privileges. The attack does require authentication, however, any valid user domain account (including unprivileged accounts) will succeed which means an attacker only needs to compromise one account to exploit this vulnerability. There is Proof of Concept (POC) code in the wild and researchers have successfully compromised fully patched Windows systems. This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows, especially Domain Controllers.

 

DETAILED ANALYSIS

Microsoft recently issued a patch for CVE-2021-1675, which is described as a "Windows Print Spooler Elevation of Privilege Vulnerability" during the June 8, 2021 Patch Tuesday. After seeing this patch published, security researchers at Sangfor, a Chinese security firm, released the technical details of what they believed to be the same vulnerability, including proof-of-concept code for the vulnerability they dubbed PrintNightmare. Unfortunately, the released information and POC was for a different -- albeit similar – vulnerability with the print spooler service. The POC code was published to a github repository and was quickly taken down once they realized the mistake, however, not before the repo had been cloned by other researchers.

Microsoft’s patch for CVE-2021-1675 was intended to fix the PrintNightmare, however, according to one of the researchers that discovered the PrintNightmare RCE, Yunhai Zhang, “CVE-2021-1675 is meant to fix PrintNightmare, but it seems that they just test with the test case in my report, which is more elegant and also more restricted. So, the patch is incomplete.”

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.

By sending an RpcAddPrinterDriverEx() RPC request, e.g. over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.

Microsoft has not yet publicly acknowledged this zero-day but the security community believe this applies to all known versions of Windows OS. Several different researchers have successfully exploited fully patched Windows Server 2019 servers to gain SYSTEM privileges. As of this writing there are no patches available and the only mitigation is to disable the print spooler service. This may cause an impact to print services on the network but is the only way to prevent exploitation and potential compromise of the network. This is especially critical on domain controllers where a successful compromise would result in complete takeover of the your Active Directory domain.

 

MITIGATION

This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.

We also recommend following Microsoft’s guidance for Domain Controllers with Print Spoolers.

 

SOURCES

 

CONTRIBUTING AUTHOR

  • Stephen Jones, Senior Director of Cybersecurity

 

Information Security
Want the latest IT insights? SUBSCRIBE