Researcher bypasses Microsoft's latest patch for PrintNightmare exploit (MS issues clarification)

Humza

Posts: 883   +162
Staff member
A hot potato: Microsoft rushed to release a fix for the recently discovered 'PrintNightmare' vulnerability, pushing it as a mandatory security update for several Windows versions. Although the patch bolstered protection with the added requirement of admin credentials during installation of unsigned printer drivers on print servers, a security researcher and developer reverse engineered a Windows DLL to bypass Microsoft’s check for remote libraries and was able to exploit a fully patched server.

Update (9 July): With questions hanging around the effectiveness of Microsoft's latest out-of-band patch for PrintNightmare, the company has posted a clarified guidance on the issue following demonstrations of security researchers bypassing the fix.

Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.

Microsoft strongly advises users to update to the latest patch and make sure to review system registry settings by going through the following steps:

  • In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
  • After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
  • If the registry keys documented do not exist, no further action is required
  • If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
    - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    - NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    - UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

In related news, the PrintNightmare patch (KB5004945) has caused problems for Zebra printers, with the company releasing the following statement to The Verge:

We are aware of a printing issue caused by the July 6 Windows “KB5004945“ update affecting multiple brands of printers. Microsoft has investigated this issue and plans to release an update addressing the issue within the next 1–2 business days. An immediate way to address the issue is to uninstall the Windows “KB5004945“ update or uninstall the affected printer driver and reinstall using Administrative credentials. Long term, we encourage the use of the newer Windows update Microsoft is planning to release. Customers who need assistance regarding Zebra printers may contact our Technical Support Team.

PrintNightmare allows a remote attacker to take advantage of a flaw in the Windows Printer Spooler service and execute arbitrary commands with escalated privileges. Microsoft quickly addressed the critical vulnerability - found on all Windows versions - with an out-of-band security update.

However, it now looks like the exploit could be turning into an actual nightmare for Microsoft and IT admins following a demonstration of how the fix could be bypassed to leave a fully patched server vulnerable to PrintNightmare.

Benjamin Delpy, a security researcher and developer of the Mimikatz security tool, notes that Microsoft employs a "\\" check in the filename format to determine if a library is remote or not. However, it can be bypassed by using UNC, which allowed Delpy to run an exploit on a fully patched Windows Server 2019 with Point and Print service enabled.

Microsoft also notes in its advisory that using the 'Point and Print' technology "weakens the local security posture in such a way that exploitation will be possible." The combination of UNC bypass and the PoC (removed from GitHub but circulating on the web) potentially leaves room for attackers to cause widespread harm.

Speaking to The Register, Delpy described the issue as "weird from Microsoft," noting that he believed the company did not test the fix for real. It remains to be seen when (and if) Microsoft can permanently patch 'PrintNightmare,' which has already begun disrupting workflows for organizations globally.

Many universities, for example, have started disabling campus-wide printing, while other internet-connected institutions and businesses that don't use remote printing still need to ensure that appropriate group policy settings are in place since 'PrintNightmare' is under active exploitation.

Permalink to story.

 

Theinsanegamer

Posts: 2,661   +4,140
he believed the company did not test the fix for real

Well yeah, MS has no quality control team anymore. YOU, the consumer, are the quality control now. Welcome to windows under nadella.

Disabling the Windows Print Spooler service for internet-connected devices is still the safest way to protect against the critical vulnerability
Well technically, unplugging the machien from the wall is the safest way to ensure security, and is only slightly more distruptive then disabling printing altogether.
 

OortCloud

Posts: 640   +509
Copying my post from previous article...

For anybody less tech-savvy staring at this article and trying to work out how to disable the remote print spooler...

Right Click Start, select Run and type gpedit.msc. Then select Administrative Templates -> Printers and double click the 'Allow Print Spooler to Accept Remote Connections' and change it to 'Disabled'.

Note: If you are running Windows 10 home, the UI for gpedit (and secpol) are not installed by default. To install them, right click start menu and select PowerShell (Admin), then run the following to install these config apps...

Get-ChildItem @(
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package*.mum",
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package*.mum"
) | ForEach-Object { dism.exe /online /norestart /add-package:"$_" }
 

Watzupken

Posts: 315   +303
"Speaking to The Register, Delpy described the issue as "weird from Microsoft," noting that he believed the company did not test the fix for real. It remains to be seen when (and if) Microsoft can permanently patch 'PrintNightmare,' which has already begun disrupting workflows for organizations globally."

This just shows the MS is really just focusing on the look and feel of their OS, and really less about fixing bugs and such. Bugs will always exist, but to say that they have fixed a bug only to be corrected in a day just shows the lack of quality control there. This bug is not some hardware specific bug which may not surface in their internal testing, but rather one that plagues all the systems running Windows.
 

Markoni35

Posts: 1,234   +507
Since Nadella has became CEO the company, Windows is getting less and less secure. The biggest security hole being the new Edge browser based on Chromium. Google now controls and spies upon Windows users, in addition to all the Android devices, almost all the search queries, most of the web sites (showing Google ads), all the Gmail emails, and search/view habits of YouTube users.

I never expected they would conquer Microsoft too, but Nadella enabled it.