Another Print Spooler Vulnerability Becomes The Latest Windows 10 Security Nuisance
After the PrintNightmare vulnerability was found, the Windows Print Spooler and printer drivers were under the microscope. Now, yet another Print Spooler vulnerability has been discovered, allowing for code execution with SYSTEM privileges.
First disclosed yesterday, the new print spooler vulnerability was uncovered by researchers at Carnegie Mellon University. It stems from Windows allowing non-admin users to install printer drivers through a feature called “Point and Print.” However, Microsoft “requires that printers installable via Point are either signed by a WHQL release signature or are signed by a certificate that is explicitly trusted by the target system.”
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
— 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021
(POC only, will write a log file to system32)
connect to \\https://t.co/6Pk2UnOXaG with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' pic.twitter.com/zHX3aq9PpM
The problem arises from Windows printer drivers, which can designate queue-specific files associated with the use of the printer. These do not have any signature requirements and can be copied to a system through the Point and Print driver installation, which can then be used with SYSTEM privileges. What is concerning about this is that there is no “practical solution to this problem,” and an exploit is available online on Twitter, as shown above.
At present, the researchers suggest disabling outbound SMB traffic at the edge of your networks to prevent malicious SMB printers outside of your network. Furthermore, administrators can configure the “Package Point and Print - Approved servers” Group Policy that “can restrict which servers can be used by non-administrative users to install printers via Point and Print.” However, without an actual fix or mitigation, hopefully, Microsoft will push a patch shortly to fix this and other issues properly, as these vulnerabilities just keep printing out.
