Cert has released a detailed advisory on the one more new vulnerability identified on the printspooler component of Microsoft.
“Microsoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with
SYSTEM privileges via the Print Spooler service. This ability is achieved through a capability called Point and Print.” reads the advisory from CERT.
Microsoft also started signing the printer installable via POINT either by Certificates or WHQL release signatures from the update (MS16-087) just to avoid the installation of malicious print drivers which may lead to Local Privilege Escalation to ‘SYSTEM’.
Cert also stated that the exploit for this vulnerability is available in public and pointed out to the Mimikatz creator, Benjamin Delpy
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝— 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021
(POC only, will write a log file to system32)
connect to \\https://t.co/6Pk2UnOXaG with
– user: .\gentilguest
– password: password
Open 'Kiwi Legit Printer – x64', then 'Kiwi Legit Printer – x64 (another one)' pic.twitter.com/zHX3aq9PpM
While there is no feasible solution for this vulnerability, CERT recommends to block outbound SMB traffic at the network boundary and provides the configuration change on the group policy “Package Point and Print – Approved servers” which can be implemented and reflected via Registry key to prevent installations of printers from arbitrary server. This will restrict non-administrative users on specific set of servers to install printers via Point and Print.
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and
CyberWorkx news readers can checkout the detailed advisory here.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1