Microsoft Print Nightmare Continues of Malicious Driver Packages

Microsoft on Thursday shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it’s working to address it in an upcoming security update. Window’s Print Nightmare continues with another example of how an attacker SYSTEM privileges by harming malicious printer drivers.

In the previous month, a security analyzer mistakenly revealed a proof-of-concept exploit for the Windows PrintNightmare zero-day. The vulnerability is tracked as CVE-2021-34527 and is a missing permission check in the Windows Print Spooler that permits installing unauthenticated print drivers to access remote code execution or local privilege escalation on infected systems.

Microsoft releases an out-of-band KB5004945 security update that was supposed to fix the vulnerability, but the security analyzer quickly understands that the patch could be avoided under some conditions.

Although, Microsoft stated that their patches function as intended, and as the vulnerability was being actively exploited, it is suggested to all Windows users to immediately install that update.

Is this Vulnerability Continues?

Security investigator and Mimikatz producer Benjamin Deply said he discovers a way to harm Window’s traditional method of installing printer drivers to achieve local SYSTEM privileges through malicious printer drivers.

This tactic can be utilized even if the admin applied Microsoft’s recommended mitigations of reducing printer driver installation to admin and disabling Point and Print.

Microsoft-Print-Nightmare-Continues-of-Malicious-Driver-Packages-image1

Where the advanced local privilege escalation method is not the same as the one commonly referred to PrintNightmare, Delpy told our experts that he take similar printer driver’s installation errors to be classified under a similar name.

In the consultation with our experts, Delpy explained that even with mitigations applied; an attacker could generate a signed malicious print driver package and utilize it to gain SYSTEM privilege on another system.

Moreover, some of the attackers also go for the “Rolls Royce” method of signing drivers, which is to buy or steal an EV certificate and then submit it for Microsoft WHQL validation as a fake company.

After they have signed the printer driver package, an attacker can install the driver or any other networked device where they have managerial privileges. Attackers can then use this “Pivot” device where they do not have inflated privileges simply by installing the venomous driver.

How to Prevent this Attack?

To bypass this attack, you can disable the print spooler or enable the Point and Print group policy to restrict the servers a device can download print drivers.

Although, allowing Point and Print would permit PrintNightmare exploit to avoid the current patch from Microsoft.

When it is asked that how Microsoft could bypass this type of attack? Then they stated that they tried to avoid it in the past by deprecating version 3 drivers. Unfortunately, this leads to a problem, and Microsoft ended the V3 deprecation policy in June 2017.

Ultimately, this method will likely not be fixed as Windows is designed to permit an administrator to install a printer driver, even ones that may be unaware of malicious. Moreover, Windows is created to permit non-admin users to install signed drivers on their devices for ease to use.

Instead, security software will likely be the primary protection against attacks like this by disclosing the malicious driver or behavior.

Leave a Reply