Follow the nightmare in the Windows print queue
The security researcher Benjamin Delpy is closely investigating how this vulnerability works. This researcher has been the one who has shown that the first patches to mitigate it were useless, and he has also been the one who has discovered that the flaw, despite the new Windows security patches, is still open in the operating system. And this new problem has already been registered as CVE-2021-34481.
This time, what he has shown is that, when installing the printer, the manufacturer can specify the types of files that it can allow in the print queue. This list of files is downloaded to each client that connects to the print server so that Windows can read it correctly. Through this vulnerability, it is possible to create a fake print server with a number of specific DLL files. And, when a client connects to this fake server, these DLLs will be loaded into the system, allowing them to get SYSTEM permissions or execute remote code on the PC.
It is true that Windows requires a valid digital signature to be able to install drivers on the system, but once the driver has been installed, it no longer asks for this validation when copying other files to the system.
Want to test #printnightmare (ep 4.x) user-to-system as a service? 🥝
(POC only, will write a log file to system32)
connect to \ https: //t.co/6Pk2UnOXaG with
– user:. Gentilguest
– password: password
Open ‘Kiwi Legit Printer – x64’, then ‘Kiwi Legit Printer – x64 (another one)’ pic.twitter.com/zHX3aq9PpM
– 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021
How to mitigate this new PrintNightmare
At the moment, Microsoft has not made any statements about this new security problem or whether it will fix it soon, or we will have to wait for next month’s patches to receive the fix. Luckily, this security researcher has explained two different ways to mitigate these problems.
The first one is block outgoing SMB traffic. However, this technique to mitigate the flaw does it “halfway”, as hackers could also use MS-WPRN to install drivers without using SMB, as well as allowing hackers to use local print servers to exploit of the vulnerability, so it is not a 100% valid method.
The second option is configure a series of trusted print servers Through the policy of use “Package Point and Print – Approved servers”. This policy ensures that non-administrator users cannot install any type of print server if they are not on the trusted list.
This second method is the one that offers the best protection, for now, against this new vulnerability similar to PrintNightmare. At least until Microsoft releases a new patch to protect users, and it really works.