On June 9th, 2021, a zero-day remote code execution vulnerability, CVE-2021-34527, was found in the Microsoft Windows Print Spooler service. It’s widely referred to as PrintNightmare. An emergency patch was quickly pushed out. Despite Microsoft’s efforts, the patch failed to fully remediate the issues causing this vulnerability, and attackers continue to exploit this particular CVE with hacking tools like Mimikatz and Metasploit.
You can get a hands-on technical look at PrintNightmare in the free RangeForce Community Edition. We just added a module for this new vulnerability where you learn methods for detecting indicators of compromise (IoCs) relating to PrintNightmare, as well as mitigation and remediation tactics. As an added bonus, the module includes a hands-on exercise where you experience exploiting the vulnerability safely in our cloud-based cyber range.
Read on for a quick summary of the vulnerability below.
PrintNightmare – How It Works
The Print Spooler service default configuration is set to be always running, which also enables a printer driver installation feature known as Point and Print. This feature is where the main issue resides. If a machine is missing a print driver, the user will be prompted with an alert. The machine will then automatically go to the print server and install a driver onto the local machine in order to use the printer.
The Print Spooler service fails to restrict the permissions of who can add additional printers and their drivers to the network. This leads to two main threat vectors:
Remote code execution - Enables low-privileged users to remotely execute arbitrary code on any vulnerable system. Attackers are able to conceal malware packages in seemingly legitimate print drivers where Windows has provided a hall pass to plant the malicious files on the victim’s machines.
Local privilege escalation - Enables attackers who have already compromised a low-privilege account, such as a domain user, to escalate these privileges to SYSTEM level, which is the highest level privileges on a Windows machine!
All clients running Windows 2000 and later hold the ability to enable a connection to a remote printer, without the need for disks or any type of installation media. Necessary installation packages are installed automatically, without the consent of the user.
The Point and Print technology specifies two methods for what is being sent to the client machine from the print server. It can either have access to a printer driver and every print queue that uses this driver, or just 1 individual print queue. Technically, it is not exactly the Point and Print service that is being exploited, but the underlying API calls created to support this process.
Microsoft has released updated versions of their patches and guidance as of July 13th. That said, if Microsoft's instructions are not carefully followed, hosts may still be left exposed to exploitation.
Two workarounds can be implemented if updates can not be installed:
Option 1 — Disable the Print Spooler service
Option 2 — Disable inbound remote printing through Group Policy
Neither of these options is particularly favorable as they will severely limit printing capabilities.
The PrintNightmare vulnerability poses a threat to organizations across the globe, and it’s important for teams to be aware of how it works. Learn more about addressing this threat in the RangeForce Community Edition.
Try the new CVE module, over 20 other hands-on cyber skills development modules, and regular cyber range challenges for free when you become a member.
Join the RangeForce Community Edition to train in an on-demand cyber range.
Meet RangeForce at RSA and Infosecurity Conferences