Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Dataprise
Table of content
Microsoft released an out-of-band emergency patch (KB5004945) for the PrintNightmare vulnerability (CVE-2021-34527), however, researchers were able to achieve Remote Code Execution (RCE) and privilege escalation with the patch installed. Researchers, Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC discovered that Microsoft only patched the RCE part of the vulnerability leaving the privilege escalation vulnerability intact. Additional testing by other researchers revealed that the entire patch could be bypassed to continue exploiting the PrintNightmare exploits.
To bypass the PrintNightmare patch and achieve RCE and LPE, a Windows policy called ‘Point and Print Restrictions’ must be enabled, and the “When installing drivers for a new connection” setting configured as “Do not show warning on elevation prompt.”
This policy is located under Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions. When enabled, the ‘NoWarningNoElevationOnInstall‘ value will be set to 1 under the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint key.
At this time the recommended mitigation for these vulnerabilities is to disable the Print Spooler service until a working patch is released.
Microsoft has issued the following statetement, “We’re aware of claims and are investigating, but at this time we are not aware of any bypasses.”
A serious Remote Code Execution (RCE) vulnerability has been identified in the Print Spooler service in Windows Operating Systems. Successful exploitation of this vulnerability can allow an authenticated attacker to execute code and gain SYSTEM privileges. The attack does require authentication, however, any valid user domain account (including unprivileged accounts) will succeed which means an attacker only needs to compromise one account to exploit this vulnerability. There is Proof of Concept (POC) code in the wild and researchers have successfully compromised fully patched Windows systems. This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows, especially Domain Controllers.
Microsoft recently issued a patch for CVE-2021-1675, which is described as a “Windows Print Spooler Elevation of Privilege Vulnerability” during the June 8, 2021 Patch Tuesday. After seeing this patch published, security researchers at Sangfor, a Chinese security firm, released the technical details of what they believed to be the same vulnerability, including proof-of-concept code for the vulnerability they dubbed PrintNightmare. Unfortunately, the released information and POC was for a different — albeit similar – vulnerability with the print spooler service. The POC code was published to a github repository and was quickly taken down once they realized the mistake, however, not before the repo had been cloned by other researchers.
Microsoft’s patch for CVE-2021-1675 was intended to fix the PrintNightmare, however, according to one of the researchers that discovered the PrintNightmare RCE, Yunhai Zhang, “CVE-2021-1675 is meant to fix PrintNightmare, but it seems that they just test with the test case in my report, which is more elegant and also more restricted. So, the patch is incomplete.”
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.
By sending an RpcAddPrinterDriverEx() RPC request, e.g. over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Microsoft has not yet publicly acknowledged this zero-day but the security community believe this applies to all known versions of Windows OS. Several different researchers have successfully exploited fully patched Windows Server 2019 servers to gain SYSTEM privileges. As of this writing there are no patches available and the only mitigation is to disable the print spooler service. This may cause an impact to print services on the network but is the only way to prevent exploitation and potential compromise of the network. This is especially critical on domain controllers where a successful compromise would result in complete takeover of the your Active Directory domain.
This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.
We also recommend following Microsoft’s guidance for Domain Controllers with Print Spoolers.
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.