Privacy Ninja

Public Windows PrintNightmare 0-day Exploit Allows Domain Takeover

Public Windows PrintNightmare 0-day Exploit Allows Domain Takeover

Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that allows remote code execution.

Despite the need for authentication, the severity of the issue is critical as threat actors can use it to take over a Windows domain server to easily deploy malware across a company’s network.

The issue affects Windows Print Spooler and because of the long list of bugs impacting this component over the years [1234], the researchers named it PrintNightmare.

Several researchers have tested the leaked PoC exploit on fully patched Windows Server 2019 systems and were able to execute code as SYSTEM.

An accidental leak

Leaking the details for this vulnerability happened by accident, out of a confusion with another issue, CVE-2021-1675, also impacting Print Spooler that Microsoft patched in this month’s rollout of security updates.

Initially, Microsoft classified CVE-2021-1675 as a high-severity, privilege escalation issue but a couple of weeks later changed the rating to critical and the impact to remote code execution, without providing any details.

Credited for reporting CVE-2021-1675 are researchers from three cybersecurity companies (Tencent, AFINE, NSFOCUS) but multiple teams were analyzing Windows Print Spooler.

On June 28, Chinese security vendor QiAnXin announced that they found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution, and published a demo video.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

QiAnXin exploit demo video
source: QiAnXin

Seeing the exploit video and believing it’s the same issue, another team of researchers from Chinese security company Sangfor, decided to release their technical writeup and a demo exploit, calling the bug PrintNightmare.

However, it turns out that PrintNightmare is not the same as CVE-2021-1675, which received a patch on June 8, but a zero-day vulnerability in Windows Print Spooler in need of a fix.

Mitja Kolsek, CEO of Acros Security and co-founder of micropatching service 0Patch clears the confusion by pointing to the technical details that AFINE researchers released for CVE-2021-1675, which are different from what Sangfor researchers published yesterday.

PrintNightmare different from CVE-2021-1675
source: Mitja Kolsek

Confusion aside, PrintNightmare is a serious flaw that needs to be treated accordingly.

Since a patch is yet to come, administrators are strongly advised to stop and disable the spooler service, especially on domain controller systems.

Security consulting company Lares published a repository with detection and remediation information that includes a sample of the PrintNightmare attack and a Sysmon configuration file for telemetry purposes.

Florian Roth of Nextron Systems created experimental Sigma rules for detecting print spooler exploitation based on Sangfor researchers’ exploit code.

Lares also provides details on how to stop and disable the spooler service either from the Group Policy settings or by using a PowerShell script.

This can be done either from the Group Policy settings or by using PowerShell script

Matthew Hickey, co-founder of Hacker House, was able to obtain full SYSTEM privileges from a normal Domain User account on an up-to-date Windows Server 2019 machine vulnerable to PrintNightmare.

Benjamin Delpy, the developer of mimikatz post-exploitation tool for penetration testing, achieved remote code execution with the highest privileges on a fully patched system, too.

While his test was also on a Domain Controller, Delpy said that the same result is achieved “on all systems with RPC to spooler available, remote or local.”

Will Dormann, a vulnerability analyst for CERT/CC confirmed that a remote, authenticated attacker can run code with elevated rights on a machine with the Print Spooler service enabled.

Dormann also confirmed that Microsoft’s June security updates have no effect against the PrintNightmare zero-day vulnerability detailed by the researchers from Sangfor.

PrintNightmware is a zero-day in Windows Print Spooler
source: Will Dormann

The general advice at the moment is to stop and disable the service on Domain Controllers as soon as possible, as the need for authentication is far from a deterrent for an attacker.

Also Read: Data Protection Officer Singapore | 10 FAQs

Threat actors, ransomware groups in particular, are likely to jump at the occasion to compromise company networks, since getting credentials for limited-privilege domain users is an easy task, security researcherJonas Lykkegård told BleepingComputer.

Credentials for regular users can be just as good for an attacker in environments vulnerable to privilege escalation, and there is a market for this type of data, sustained by info-stealing activities.

On some underground forums, a valid login and password pair for a Windows Remote Desktop server can go for as low as $3 and as high as $70.

One of the largest marketplaces for Windows Remote Desktop logins had a collection of 1.3 million credentials, showing that selling them is a lucrative business.

Sangfor researchers (Zhiniang PengXueFeng Li, and Lewis Lee) will talk at Black Hat this year about how they found PrintNightmare and created an exploit for it in a presentation titled Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer.

Update [June 30, 18:45 EST]: Added information about detecting PrintNightmare exploit attempts and disabling the print spooler service to prevent attacks.

Privacy Ninja provides GUARANTEED quality and results for the following CORE SERVICES:

DPO-As-A-Service (Outsourced DPO Subscription)
Vulnerability Assessment & Penetration Testing (VAPT)
PDPA Obligations for Organizational Compliance (SkillsFuture Credit Eligible)

OTHER SERVICES:

PDPA Compliance Audit
Dig
ital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy

PDPA Data Protection Software
Smart Contract Audit

LIKE & SUBSCRIBE:
Facebook
LinkedIn
Twitter
YouTube
Podcast

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× How can we help you?