The content of this article
Not even a week has passed after Microsoft released an update dedicated to addressing a security vulnerability affecting the print spooler called PrintNightmare.
Unfortunately, a few days ago another press issue was discovered, this time in a slightly different way.
Remote print server with SYSTEM privileges
The vulnerability, reported by BipComputer, was discovered by Benjamin Delpy, who while testing the PrintNightmare exploit came across this situation where he had created a remote print server that installs a print driver and runs a DLL with SYSTEM privileges.
Initially this DLL was going to write a log where only accounts with elevated privileges could access and write, then it changed it by running a command from the command prompt as administrator.
Here is the video showing the operation live:
As BleepingComputer also reports, this type of attack can be exploited to penetrate the corporate network using “edge” computers as a bridgehead. So let’s see how to alleviate the problem.
How to alleviate the problem?
Disable the print spooler
By disabling the spooler, of course, it will no longer be possible to launch prints or scans on the computer. To do this, run these commands from a command prompt as administrator (or powershell):
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
Disable RCP and SMB ports
An additional step could be to disable the ports that can be used during the attack, namely the RPC and SMB ports. To do this, make sure to block ports 135 TCP for RPC and 139/145 TCP for SMB.
The best solution, however, is to act on group policies, both at the client and server level.
Define the selection and printing of the package
As mentioned, the most efficient and recommended method is to set the “Select and Print Package – Trusted Servers” policy.
This policy prevents a standard user (that is, a non-administrator) from installing print drivers other than the print server defined in the policy itself.
The full path, accessible by the command gpedit.msc, And:
Configurazione Utente > Modelli amministrativi > Pannello di Controllo > Stampanti > Pacchetto di selezione e stampa - server approvati
Street: Before Christ