Windows print nightmare continues with malicious driver packages
Microsoft’s print nightmare continues with an additional instance of just how a hazard star can attain SYSTEM benefits by abusing malicious printer motorists.
Last month, safety scientists unintentionally divulged a proof-of-concept manipulate for the Windows Print Nightmare zero-day.
This susceptability is tracked as CVE-2021-34527 and also is an absent consent sign in the Windows Print Spooler that permits setting up malicious print motorists to attain remote code implementation or neighborhood benefit acceleration on at risk systems.
Microsoft launched an out-of-band KB5004945 safety upgrade that was expected to take care of the susceptability, however safety scientists swiftly figured out that the spot might be bypassed under specific problems.
However, Microsoft specified that their spots functioned as planned, and also as the susceptability was being proactively manipulated, suggested all Windows customers to set up the upgrade.
The print nightmare continues
Yesterday, safety scientist and also Mimikatz designer Benjamin Delpy claimed he located a means to misuse Windows’ regular technique of setting up printer motorists to acquire neighborhood SYSTEM benefits with malicious printer motorists.
This method can be made use of also if admins used Microsoft’s recommended mitigations of limiting printer driver setup to admins and also disabling Point and also Print.
#printnightmare – Episode 3
You recognize that also covered, with default config (or safety implemented with #Microsoft setups), a basic customer can fill motorists as SYSTEM?
–Benjamin Delpy (@gentilkiwi) July 15, 2021
While this brand-new neighborhood benefit acceleration technique is not the like the one frequently described Print Nightmare, Delpy informed BleepingComputer that he thinks about comparable printer driver setup insects to be categorized under the exact same name.
In a discussion with BleepingComputer, Delpy clarified that also with reductions used, a hazard star might produce an authorized malicious print driver bundle and also utilize it to attain SYSTEM benefits on various other systems.
To do this, the hazard star would certainly produce a malicious print driver and also authorize it utilizing a relied on Authenticode certification using these steps
However, some hazard stars go with the “Rolls Royce” technique of authorizing motorists, which is to purchase or swipe an EV certification and after that submit it for Microsoft WHQL validation as a phony firm.
Once they have actually an authorized printer driver bundle, a hazard star can set up the driver on any type of various other networked gadget where they have management benefits.
Threat stars can after that utilize this “pivot” gadget to acquire SYSTEM benefits on various other tools where they do not have raised benefits just by setting up the malicious driver, as revealed by the video clip listed below.
Delpy claimed that this method might be made use of to assist hazard stars spread out side to side in a currently jeopardized network.
To stop this assault, you can can disable the print spooler or allow the Point and also Print team plan to restrict the web servers a tool can download and install print motorists.
However, making it possible for Point and also Print would certainly enable Print Nightmare makes use of to bypass the existing spot from Microsoft.
When asked just how Microsoft might stop this sort of assault, Delpy specified that they tried to stop it in the past by deprecating variation 3 printer motorists. Ultimately, this created issues, and also Microsoft ended the v3 deprecation policy in June 2017.
Unfortunately, this technique will likely not be dealt with as Windows is created to enable a manager to set up a printer driver, also ones that might be unknowninglymalicious Furthermore, Windows is created to enable non-admin customers to set up authorized motorists on their tools for convenience of usage.
Instead, safety software program will likely be the key protection versus assaults similar to this by spotting the malicious driver or actions.
BleepingComputer has actually gotten in touch with Microsoft relating to the problem however has actually not listened to back.