[BreachExchange] Public Windows PrintNightmare 0-day exploit allows domain takeover

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Jul 1 11:40:20 EDT 2021


https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/

Technical details and a proof-of-concept (PoC) exploit have been
accidentally leaked for a currently unpatched vulnerability in Windows that
allows remote code execution.

Despite the need for authentication, the severity of the issue is critical
as threat actors can use it to take over a Windows domain server to easily
deploy malware across a company’s network.

The issue affects Windows Print Spooler and because of the long list of
bugs impacting this component over the years [1, 2, 3, 4], the researchers
named it PrintNightmare.

Several researchers have tested the leaked PoC exploit on fully patched
Windows Server 2019 systems and were able to execute code as SYSTEM.

An accidental leak

Leaking the details for this vulnerability happened by accident, out of a
confusion with another issue, CVE-2021-1675, also impacting Print Spooler
that Microsoft patched in this month’s rollout of security updates.

Initially, Microsoft classified CVE-2021-1675 as a high-severity, privilege
escalation issue but a couple of weeks later changed the rating to critical
and the impact to remote code execution, without providing any details.

Credited for reporting CVE-2021-1675 are researchers from three
cybersecurity companies (Tencent, AFINE, NSFOCUS) but multiple teams were
analyzing Windows Print Spooler.

On June 28, Chinese security vendor QiAnXin announced that they found a way
to exploit the vulnerability to achieve both local privilege escalation and
remote code execution, and published a demo video.

Seeing the exploit video and believing it's the same issue, another team of
researchers from Chinese security company Sangfor, decided to release their
technical writeup and a demo exploit, calling the bug PrintNightmare.

However, it turns out that PrintNightmare is not the same as CVE-2021-1675,
which received a patch on June 8, but a zero-day vulnerability in Windows
Print Spooler in need of a fix.

Mitja Kolsek, CEO of Acros Security and co-founder of micropatching service
0Patch clears the confusion by pointing to the technical details that AFINE
researchers released for CVE-2021-1675, which are different from what
Sangfor researchers published yesterday.

Confusion aside, PrintNightmare is a serious flaw that needs to be treated
accordingly.

Since a patch is yet to come, administrators are strongly advised to stop
and disable the spooler service, especially on domain controller systems.

Security consulting company Lares published a repository with detection and
remediation information that includes a sample of the PrintNightmare attack
and a Sysmon configuration file for telemetry purposes.

Florian Roth of Nextron Systems created experimental Sigma rules for
detecting print spooler exploitation based on Sangfor researchers' exploit
code.

Lares also provides details on how to stop and disable the spooler service
either from the Group Policy settings or by using a PowerShell script.
CERT/CC has also released instructions on how to stop and disable the Print
Spooler service.

Matthew Hickey, co-founder of Hacker House, was able to obtain full SYSTEM
privileges from a normal Domain User account on an up-to-date Windows
Server 2019 machine vulnerable to PrintNightmare.

Benjamin Delpy, the developer of mimikatz post-exploitation tool for
penetration testing, achieved remote code execution with the highest
privileges on a fully patched system, too.

While his test was also on a Domain Controller, Delpy said that the same
result is achieved “on all systems with RPC to spooler available, remote or
local.”

Delpy made a video showing that his test system, running the latest
updates, did not stop the PrintNightmare exploit:

Will Dormann, a vulnerability analyst for CERT/CC confirmed that a remote,
authenticated attacker can run code with elevated rights on a machine with
the Print Spooler service enabled.

Dormann also confirmed that Microsoft’s June security updates have no
effect against the PrintNightmare zero-day vulnerability detailed by the
researchers from Sangfor.

The general advice at the moment is to stop and disable the service on
Domain Controllers as soon as possible, as the need for authentication is
far from a deterrent for an attacker.

Threat actors, ransomware groups in particular, are likely to jump at the
occasion to compromise company networks, since getting credentials for
limited-privilege domain users is an easy task, security researcher Jonas
Lykkegård told BleepingComputer.

Credentials for regular users can be just as good for an attacker in
environments vulnerable to privilege escalation, and there is a market for
this type of data, sustained by info-stealing activities.

On some underground forums, a valid login and password pair for a Windows
Remote Desktop server can go for as low as $3 and as high as $70.

One of the largest marketplaces for Windows Remote Desktop logins had a
collection of 1.3 million credentials, showing that selling them is a
lucrative business.

Sangfor researchers (Zhiniang Peng, XueFeng Li, and Lewis Lee) will talk at
Black Hat this year about how they found PrintNightmare and created an
exploit for it in a presentation titled Diving Into Spooler: Discovering
LPE and RCE Vulnerabilities in Windows Printer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210701/ece4b3a2/attachment.html>


More information about the BreachExchange mailing list