Microsoft Corporation, Microsoft Windows, Computer, Windows 10, Vulnerability E-2021–1675 #PrintNightmare Explained
t because of the nightmares of support that they cause, we have actually the print nightmare here on july, 1st of 2021. Well, technically, it started the other day and this is kind of a mess going on right now, and i say right now, because it is july 1st 8 55 a.m and we started all of our mitigation right away. Since we found out about this the other day and we’re continuing to keep an eye on it, i wanted to raise a little bit of awareness on the print nightmare. In case you haven’t heard of it or don’t understand what happened. Essentially, a security researcher tweeted out a proof of concept exploit and explainer recently and then quickly deleted it. This exploitation discussion contained an unpatched zero day in all underlying all here, supported and extended security, update versions of windows os. Now, specifically, the proof of concept has only been shown for windows, server platforms but it’s a matter of time before someone escalates this and starts exploiting the print spooler inside of your standard. You know windows 10 deployments uh it like matter of time that’s. All i got to say, but they deleted the proof of concept of print nightmare to many gates mitigate this vulnerability. Please update windows to the latest version, which unfortunately doesn’t fix it. Microsoft released a patch for the print spooler. Now this is also where there’s a little bit more confusion. Unfortunately, by this time, they’d already been forked on github the proof of concept, and then the latest june 2021 security patches do not actually fix the issue.
This is where microsoft made a mistake. They did patch the print spooler, but either a they didn’t patch, it right or it’s. Just a different flaw, we’re, not really sure which, but the write up tags the issues cve 2021 1675, which microsoft themselves changed. They upped the severity of it. So if you were first looking at this, this is why this is a particularly confusing one. It had a low severity and did not show remote code execution. Then microsoft said oops, i guess it’s worse than we thought now. It does include all versions of windows and remote code, execution and that’s the part that’s, really why you have to work on mitigating it because let’s talk about what happens here. The flaw is in the rpc and print driver, a legit function designed to allow remote printing scenarios and driver installation. The function is designed to allow users, sc load driver privilege, by default administrators and print operators, to add drivers to a remote print spooler, so it’s a legit function that is supposed to allow you to have print drivers added to make your life easier with printers. Unfortunately, it also has a logic flaw where the remotely connecting party can specify parameters which invalidate the authentication and or in english, any authenticated user can remotely add print drivers to windows. You don’t need to be an administrator. Essentially, what this allows them to do is escalate up, so you can have any low level privileged person, someone just working help desk with not really any access on the network other than a active domain.
Credential then, from there they can escalate that privilege and become the domain admin. This is obviously a huge problem now ways to mitigate this is turn off principler, but in case you’re wondering yes that breaks print services, so it’s one of those we’ve turned it off anywhere. That clients don’t need print services or looked at ways to mitigate it by not having print servers there and moving them somewhere else there’s. This is a mess we’ll just say that, because if you’re going, this sounds like a headache tom. Oh yes, it’s, a headache now where the real flaw comes in and what a big problem in this world is is we know that there’s always threat actors that frequently have low level access, but they can’t get further they’re stuck. This is going to allow an opportunity for any threat actor that may already be in a system. Obviously, there’s, no threat action system, it’s only a risk if some user, you know escalates privileges, but you can kind of see where this is a big deal. I don’t think this is being overblown at all now, right now being real time updated. I will leave a link to this right here, which is the post from hunter slabs. They have a breakdown, some mitigation, some some discussion over here on reddit, even their post over here, which i’ll be linking to all of this on the reddit on the blog over here at huntress, refers back over to reddit, so they have the mitigations there’s.
A few more things you can do there’s a few parameters you can put on there there’s actively working on it. Maybe, by the time this video you know gets to you, you’ve already mitigated or there’s better mitigations than are available right now, so keep an eye on it. Links will be right down below where you can learn more about this uh big shout out to kevin bowman, aka gaussian dog over here on twitter. Who is the author of this, and is you know real time, dropping updates for this? Also, he is the author right here at double pulsar that wrote this right up that i was reading from big shout out to the team over at huntress labs for their work on this and, of course, john hammond. I has a video and posted over on huntress that he has a great youtube channel, leave a link down below uh, but they do have a proof or concept. If you want to actually see this in action, how it does the privilege escalation that is included in this reddit post right here, so you can try it out for yourself and yeah. This uh be scared, and this video is pretty short here, but it walks you through in three minutes, going from three minutes to not being a domain admin to john having domain admin on this. So um yeah we’ll go ahead and jump to the nc. You’Ll have to wait the whole time but of course, i’ll link in there.
But ah yes, cd users, admin is trader and all right, the that uh, the short little video john, gets admin on there. So pretty scary and uh ali likes it leave links all this below get patching, get mitigating well patches, aren’t available. So patching may be available when you watch this video, but if not get mediating all right and thanks and thank you for making it to the end of this video. If you enjoyed this content, please give it a thumbs up if you’d like to see more content from this channel, hit the subscribe button and the bell icon to hire a shared project head over to lawrences.com and click on the hirus button right at the top to Help this channel out in other ways there is a join button here for youtube and a patreon page, where your support is greatly appreciated for deals, discounts and offers check out our affiliate links in the descriptions of all of our videos, including a link to our shirt Store where we have a wide variety of shirts and new designs come out well, randomly so check back frequently and finally, our forums, forums.laurensystems.com, is where you can have a more in depth. Discussion about this video and other tech topics covered on this channel.