The Bad .bat Files: PrintNightmare
Printers are an IT security headache. But when does this headache become a nightmare? Say, when there is a dangerous Zero-day exploit out in the open and there is no definitive patch for it. Well….yes. And this nightmare even has a name to it. Meet CVE-2021–34527 aka PrintNightmare.
What is PrintNightmare?
PrintNightmare is a Remote Code Execution (RCE) vulnerability. Remote Code Execution means the attacker can execute code on your computer remotely from anywhere in the world. RCE is the real world equivalent of leaving your computer unlocked and on in the park while you run to the coffee shop across the street for a coffee.
PrintNightmare targets a service in Windows computers called Print Spooler. Print Spooler is the service that runs in the background when you interact with the printer and when you queue up print jobs. In short, you need Print Spooler to print stuff. The service also has a long and notorious history of vulnerabilities. Print Spooler vulnerabilities were tied to the infamous Stuxnet attacks. Who knew printers can be more annoying than just jamming paper all the time?
Here’s the technical bit. The problem is in the RpcAddPrinterDriver function in Print Spooler. This function allows authorized users to install drivers that can be used for printing. The thing about print drivers is that their code execution is done as NT Authority\SYSTEM, which is basically God-mode for a Windows system. Here comes the flaw. The function has a logic error where ANY authorized user can install a DLL file, slap a tag on it that says “Print Driver”, install it into the system and Bob’s your uncle.
Should I be worried?
Well, obviously.
PrintNightmare seems to work against most versions of Windows and Windows Servers (that even includes XP and Vista!) and the results of an attack with this vulnerability can lead to total system pwnage. The vulnerable Print Spooler service is also enabled by default across all systems. But here’s the kicker. For PrintNightmare to be used to its fullest extent, the attacker has to tick some boxes first.
See, the attacker needs to have a compromised account on your system. Now, the account can be the most basic of accounts, but the attacker needs to have valid credentials to launch this attack. Secondly, the attacker uses SMB connections to insert a malicious DLL to carry out the exploit. If you have strong perimeter defenses, the attacker shouldn’t be able to work around those. Lastly, attackers will use this exploit mostly as a means of lateral movement and privilege escalation.
That doesn’t mean you in the clear though. It is as they say:
“Security is always excessive until it’s not enough”
Mitigation
Okay, getting to the point. How to stop myself getting hacked by this nightmare? While the Microsoft June 8 patch is not guaranteed to fix this issue, there are a couple of solutions you could try depending on the situation.
1. If you don’t have a printer connected to your computer, you can directly disable the Print Spooler service. This is a fail-safe way but then you won’t be able to print using your printer. It is advisory for high value systems like Domain Controllers to go forward with disabling it.
Open Task Manager by right-clicking on the Toolbar > Go to the Services Tab inside the Task Manager
Find the Service named “Spooler” or Description “Print Spooler” > Right-click on the service and select Stop.
2. If disabling the Print Spooler is not an option, there is a workaround for non-print servers. You can tweak the Group Policy Object “Allow Print Spooler to accept client connections” and it will successfully prevent escalation.
Search for “Edit Group Policy” in your Windows search bar or the search in Control Panel > Go to Computer Configuration > Select Administrative Templates > Select the “Printers” option.
Search for the option “Allow Print Spooler to accept client connections”.
Check the “Disabled” radio button > Hit on Apply.
Your Local Group Policy Editor should look something like this afterwards.
*Please note that CVE-2021–34527 is still unresolved as of the date of publishing this article and you can stay up to date following the official news coming out of Microsoft.
