Another Print Spooler Vulnerability Becomes The Latest Windows 10 Security Nuisance
First disclosed yesterday, the
new print spooler vulnerability was uncovered by researchers at Carnegie Mellon University. It stems from
Windows allowing non-admin users to install printer drivers through a feature called “Point and Print.” However, Microsoft “requires that printers installable via Point are either signed by a WHQL release signature or are signed by a certificate that is explicitly trusted by the target system.”
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)
connect to \\https://t.co/6Pk2UnOXaG with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' pic.twitter.com/zHX3aq9PpM
— 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021
The problem arises from Windows printer drivers, which can designate queue-specific files associated with the use of the printer. These do not have any signature requirements and can be copied to a system through the Point and Print driver installation, which can then be used with SYSTEM privileges. What is concerning about this is that there is no “practical solution to this problem,” and an exploit is available online on Twitter, as shown above.
At present, the researchers suggest disabling outbound
SMB traffic at the edge of your networks to prevent malicious SMB printers outside of your network. Furthermore, administrators can configure the “Package Point and Print - Approved servers” Group Policy that “can restrict which servers can be used by non-administrative users to install printers via Point and Print.” However, without an actual fix or mitigation, hopefully,
Microsoft will push a patch shortly to fix this and other issues properly, as these vulnerabilities just keep printing out.