Follow us

Windows Users Nightmare

A new vulnerability discovered that threatens your security.

Updated: August 4, 2021 By Darina Shramko

Windows PrintNightmare vulnerability

Image source - Shutterstock

Alert! The world is in danger again! Microsoft warns of critical vulnerability “PrintNightmare” (CVE-2021-34527) in Windows Print Spooler service.

Last week the world shook with horror! On July 1, Microsoft alerted system administrators to the critical zero-day vulnerability CVE-2021-34527 in the Print Manager service of all currently supported versions of Windows. Information security specialists dubbed the discovered vulnerability "PrintNightmare" because the threat resembles a waking nightmare.

The fact is that all versions of Windows released from 2008 are affected by a critical vulnerability. Millions of people are targeted by hackers eager to invade system files and take over data.

Using this vulnerability, a hacker can remotely do whatever he wants on your computer: install or remove programs, copy, change or delete data, create new accounts with administrator rights. Microsoft has rated PrintNightmare the highest severity level because the print service runs by default on all versions of Windows. This makes it easy for an experienced cybercriminal to exploit the vulnerability.

 

Disclaimer:

All information is provided to inform you about the new threat of PrintNightmare. Any illegal use of information from this article is prohibited.


How did PrintNightmare?

The PrintNightmare CVE-2021-3452 vulnerability was discovered this week after Sangfor Technologies researchers accidentally published a PoC exploit. According to the official version, Sangfor Technologies planned to submit a report on vulnerabilities in the Windows Print Spooler service at the annual conference on information security Black Hat USA 2021. It is planned to be held on July 31 and will last six days - until August 5 inclusive.

However, the accidents are not accidental, so the publication of the exploit raises some suspicions. Is this a fatal mistake or a deliberate leak of information to attract public attention? Test code was immediately removed, but, as you know, everything that gets on the Internet remains in it forever.

Unfortunately, this vulnerability is not new to information security engineers. Ten years ago, humanity was confronted with the malicious network worm Stuxnet, which destroyed the nuclear enrichment centrifuge in Iran and infected more than 45,000 networks! Needless to say, how disastrous were the consequences of the actions of the network worm. However, Stuxnet is not the only vulnerable. The buffering manager contains an infinite number of vulnerabilities, many of which are still unknown to the world but can be catastrophic.

The danger of PrintNightmare is that any authenticated user can access the code and perform system-level actions on a remote domain controller through the vulnerable Windows print spooler service running on the computer. It's a catastrophe!

Any Windows installation running the affected Print Spooler service is at risk. However, domain controllers are the most desirable target for attackers. Simply put, the vulnerability gives the hacker the right to do whatever he wants.


PrintNightmare exploit

Impacket implementation of the PrintNightmare PoC originally created by Zhiniang Peng and Xuefeng Li was posted a few days earlier on GitHub. This exploit was tested on a fully patched 2019 Domain Controller.

Experienced users immediately tested the exploit by installing the version of Impacket published on GitHub.

How does the exploit work? The malicious code adds a DLL to the C:\Windows\System32\ spool\drivers directory, which is then used to gain access to the system.

Users run a malware DLL remotely and locally and test the exploit.

Locally testing PrintNightmare exploit

Image source – github.com

Users also test the exploit remotely to see if the Windows system is really vulnerable.

Remotely testing PrintNightmare exploit

Image source – github.com

Also, experienced users run the rpcdump.py file from Impacket. If it returns a value, it is quite possible that it is vulnerable.

Scanning potential vulnerable hosts

Image source – github.com

After testing the exploit, we made sure that the Windows system is indeed vulnerable. Urgent action is needed to eliminate the threat because the consequences of the discovered vulnerability can be critical!

Microsoft has released a FAQ in which it answered in detail all the questions of worried users.

I strongly recommend that you temporarily disable the Windows Print Spooler service.


How to disable the Windows Print Spooler service?

Our recommendations are relevant for both Windows 10 and earlier versions of the operating system. So, to reduce the vulnerability of PrintNightmare, follow these steps:

Command to stop Windows Print Spooler service

  1. Open Start.
  2. Run PowerShell as administrator.
  3. Enter the command Stop-Service -Name Spooler –Force to stop the print spooler service and press Enter.
  4. To prevent restarting the print spooler service, enter the command Set-Service -Name Spooler -StartupType Disabled and press Enter.

Prevent restarting the Windows Print Spooler service

If you want to re-enable Windows Print Spooler, you must:

  1. Open Start.
  2. Run PowerShell as administrator.
  3. Enter the command Set-Service -Name Spooler -StartupType Automatic and press Enter.
  4. Type the command Start-Service -Name Spooler to stop the Print Spooler service and press Enter.

How to disable Print Spooler service via Group Policy on Windows 10?

If you have Windows 10 Pro (or Enterprise), you can use the Local Group Policy Editor to protect your PC from vulnerability.

You must:

  1. Open Start.
  2. Search for gpedit to open the Local Group Policy Editor.
  3. Choose the Computer Configuration > Administrative Templates > Printers.

    Disabling Print Spooler service via Group on Windows 10

  4. Double-click the Allow Print Spooler to accept client connections.
  5. Select the Disabled option.

    Disabled option

  6. Click Apply and OK buttons.

How to change access rights using PowerShell Script?

To change the permissions for a directory C:\Windows\System32\spool\drivers, run the following script:

$Path = "C:\Windows\System32\spool\drivers"

$Acl = (Get-Item $Path).GetAccessControl('Access')

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")

$Acl.AddAccessRule($Ar)

Set-Acl $Path $Acl

This will add a Deny rule for the driver's directory and all subdirectories, preventing the SYSTEM account from modifying its contents.

If necessary, you can roll back the changes by running the following PS script:

$Path = "C:\Windows\System32\spool\drivers"

$Acl = (Get-Item $Path).GetAccessControl('Access')

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")

$Acl.RemoveAccessRule($Ar)

Set-Acl $Path $Acl

UPDATE! Microsoft has released an emergency update to fix PrintNightmare!

A few hours earlier, Microsoft had released unscheduled patches to fix the PrintNightmare vulnerability.

Patches are available for a wide range of Windows releases, ranging from older versions of Windows 7 and Windows Server 2008 to the latest versions of Windows 10 and Windows Server 2019. The priority patches are for Windows servers acting as domain controllers, where the Print Spooler service is often enabled by default to allow printing on the organization's intranet. Despite the priority, I still highly recommend updating all types of Windows systems.

Please be aware that security updates released on July 6 and later contain fixes for CVE-2021-1675 and an additional fix for the remote code execution vulnerability in Windows Print Spooler known as 'PrintNightmare' and registered as CVE-2021-34527. - reported Microsoft.

You can download an update for your version of Windows OS and feel safe again.


Conclusion

This week has turned out to be extremely difficult not only for Microsoft specialists but also for millions of Windows users. Fortunately, Microsoft quickly reacted to the problem and saved millions of users worldwide from the tragic consequences of the PrintNightmare vulnerability.

I continue to follow the IT news and will notify you immediately if a new vulnerability emerges that threatens your security.

Stay safe and see you soon!

Tags: 
News