Jump to content
  • Public Windows PrintNightmare 0-day exploit allows domain takeover


    Karlston

    • 978 views
    • 4 minutes
     Share


    • 978 views
    • 4 minutes

    Public Windows PrintNightmare 0-day exploit allows domain takeover

     

    Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that allows remote code execution.

     

    Despite the need for authentication, the severity of the issue is critical as threat actors can use it to take over a Windows domain server to easily deploy malware across a company’s network.

     

    The issue affects Windows Print Spooler and because of the long list of bugs impacting this component over the years [1, 2, 3, 4], the researchers named it PrintNightmare.

     

    Several researchers have tested the leaked PoC exploit on fully patched Windows Server 2019 systems and were able to execute code as SYSTEM.

    An accidental leak

    Leaking the details for this vulnerability happened by accident, out of a confusion with another issue, CVE-2021-1675, also impacting Print Spooler that Microsoft patched in this month’s rollout of security updates.

     

    Initially, Microsoft classified CVE-2021-1675 as a high-severity, privilege escalation issue but a couple of weeks later changed the rating to critical and the impact to remote code execution, without providing any details.

     

    Credited for reporting CVE-2021-1675 are researchers from three cybersecurity companies (Tencent, AFINE, NSFOCUS) but multiple teams were analyzing Windows Print Spooler.

     

    On June 28, Chinese security vendor QiAnXin announced that they found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution, and published a demo video.

    QiAnXin exploit demo video
    source: QiAnXin

    Seeing the exploit video and believing it's the same issue, another team of researchers from Chinese security company Sangfor, decided to release their technical writeup and a demo exploit, calling the bug PrintNightmare.

     

    However, it turns out that PrintNightmare is not the same as CVE-2021-1675, which received a patch on June 8, but a zero-day vulnerability in Windows Print Spooler in need of a fix.

     

    Mitja Kolsek, CEO of Acros Security and co-founder of micropatching service 0Patch clears the confusion by pointing to the technical details that AFINE researchers released for CVE-2021-1675, which are different from what Sangfor researchers published yesterday.

    PrintNightmare different from CVE-2021-1675
    source: Mitja Kolsek

    Confusion aside, PrintNightmare is a serious flaw that needs to be treated accordingly.

     

    Since a patch is yet to come, administrators are strongly advised to stop and disable the spooler service, especially on domain controller systems.

     

    Matthew Hickey, co-founder of Hacker House, was able to obtain full SYSTEM privileges from a normal Domain User account on an up-to-date Windows Server 2019 machine vulnerable to PrintNightmare.

     

    Benjamin Delpy, the developer of mimikatz post-exploitation tool for penetration testing, achieved remote code execution with the highest privileges on a fully patched system, too.

     

    While his test was also on a Domain Controller, Delpy said that the same result is achieved “on all systems with RPC to spooler available, remote or local.”

     

    Delpy made a video showing that his test system, running the latest updates, did not stop the PrintNightmare exploit:

     

     

     

    Will Dormann, a vulnerability analyst for CERT/CC confirmed that a remote, authenticated attacker can run code with elevated rights on a machine with the Print Spooler service enabled.

     

    Dormann also confirmed that Microsoft’s June security updates have no effect against the PrintNightmare zero-day vulnerability detailed by the researchers from Sangfor.

    PrintNightmware is a zero-day in Windows Print Spooler
    source: Will Dormann

    The general advice at the moment is to stop and disable the service on Domain Controllers as soon as possible, as the need for authentication is far from a deterrent for an attacker.

     

    Threat actors, ransomware groups in particular, are likely to jump at the occasion to compromise company networks, since getting credentials for limited-privilege domain users is an easy task, security researcher Jonas Lykkegård told BleepingComputer.

     

    Credentials for regular users can be just as good for an attacker in environments vulnerable to privilege escalation, and there is a market for this type of data, sustained by info-stealing activities.

     

    On some underground forums, a valid login and password pair for a Windows Remote Desktop server can go for as low as $3 and as high as $70.

     

    One of the largest marketplaces for Windows Remote Desktop logins had a collection of 1.3 million credentials, showing that selling them is a lucrative business.

     

    Sangfor researchers (Zhiniang PengXueFeng Li, and Lewis Lee) will talk at Black Hat this year about how they found PrintNightmare and created an exploit for it in a presentation titled Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer.

     

     

    Public Windows PrintNightmare 0-day exploit allows domain takeover


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...