Hackers Could Get Windows Admin Privileges Through a Remote Print Server
Exploitation of Windows Print Spooler Goes On with One More Discovery.
Researchers have continued their investigation on PrintNightmare by further looking for ways to exploit it. Benjamin Delpy has found a new way where anyone could get Windows system privileges if they install a remote print server.
The remote print server was created by researcher Delpy to illustrate that PrintNightmare could still be compromised.
How Does the Exploitation of the Remote Print Server Work?
PrintNightmare is a zero-day vulnerability, tagged as CVE-2021-34527, that was leaked online mistakenly via a POC (proof of concept). Microsoft provided security updates at that time, but researchers did not stop to look for ways to compromise the vulnerability in order to test it.
As Bleeping Computer shows, Benjamin Delpy, the creator of Mimikatz, has continued his work in developing crafted printer drivers and Windows API abusing methods to see if the vulnerability is gone or not.
Thus, what he did was to :
- On \\printnightmare[.]gentilkiwi[.]com he created a print server that can be accessed from the Internet;
- By accessing this, a print driver will be installed;
- Then a DLL with system privileges will be launched;
- If the initial file logged to C:\Windows\System32 folder would be writable only for users that have admin privileges, the new variant Delpy created will just launch a system command prompt;
- The goal? To demonstrate that anyone who installs this remote print driver will have admin privileges.
- What happens then? They can run commands, install whatever software they want, basically gaining full control.
- The created remote print server is dangerous especially because hackers could easily deploy ransomware in order to move laterally on a network.
How to Fight Against the Remote Print Server Vulnerability?
Benjamin Delpy has provided some ways to fight against this new threat. The methods are also described in Will Dormann’s advisory, a CERT/CC analyst.
The first recommended method is the well-known Windows Print Spooler disablement. Users need to run 2 commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
But this way, they could not have access to printing locally or remotely.
The second recommended method would be to block RPC and SMB traffic. This is a solution that puts existing features at risk, as they might not longer work, as Doorman explains.
Limited testing has shown that blocking both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.
The third recommended method would be to find the Print and Point functionality and just restrict it. Use the “Package Point and print – approved servers” group policy and make sure that you restrict the Print and Point. This way, users who do not have elevated rights would not be able to deploy print drivers via Point and Print. To do so, the approved list should contain the print server they want to install.
What Is the Point of Creating This Remote Print Server?
As Benjamin Delpy shared with Bleeping Computer, he has made these investigations in order to determine Microsoft to make a priority from finding a solution for this bug. He also mentioned that the IP address of the one who might exploit it could not be detected, but, he suspects, as per his research, that Russian IP addresses take advantage of print servers.