As we all know how the PrintNightMare bug has made a huge NightMare for IT admins and Security teams , Luckily When Microsoft had released the emergency out-of-band patches to fix the vulnerability on its printspooler component and it was party time for the entire Technology world.
Guess What!!! The PrintNightMare patch can be bypassed(Evil Laugh).
Benjamin Delpy, the creator of famous tool “Mimikatz” and responsible for managing R&D at Banque de France , has shared the reverse engineered dll with the third party information security news site ‘The Register’ and explained the problem of how Microsoft was validating the remote libraries in its patch for the PrintNightMare vulnerability.
video quality: https://t.co/IsTLm0d6el— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
“To determine if the library is remote or not,” “Microsoft check if the filename start by \\, like in \\remoteserver\sharename\filename”
“But in fact, the is another filename convention that can be used for remote file like: \??\UNC\remoteserver\sharename\filename” Benjamin told to The Register.
We remember that initially Microsoft recognized this Vulnerability as Local privilege escalation and then confirmed that Remote code execution is possible via this bug. At the very moment, many customers started to complain that the patch provided at that time was not working and CISA along with various experts suggested to disable the printspooler component as a temporary fix.
However, it seems that the patches which was released again on July 6th as an emergency update is yet another incomplete fix and can be bypassed and all it requires is to make use of UNC to achieve the same.
At the end of day, PrintNightMare has proven to be a problem for Technological giants despite of multiple patches released, yet it has proven to be incomplete and not fully secure.
Turning off the printspooler component seems to be only solution till the Microsoft releases the complete version of the patch as suggested by many experts.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1