Bypass vulnerability remote print server that grants full privileges to anyone

Not even a week has passed after Microsoft released an update dedicated to addressing a security vulnerability affecting the print spooler called PrintNightmare.

Unfortunately, a few days ago another press issue was discovered, this time in a slightly different way.

Remote print server with SYSTEM privileges

The vulnerability, reported by BipComputer, was discovered by Benjamin Delpy, who while testing the PrintNightmare exploit came across this situation where he had created a remote print server that installs a print driver and runs a DLL with SYSTEM privileges.

Want to test #printnightmare (ep 4.x) user-to-system as a service? 🥝 (POC only, will write a log file to system32) connect to \https://t.co/6Pk2UnOXaG with – user :. gentilguest – password: password Open ‘Kiwi Legit Printer – x64’, then ‘Kiwi Legit Printer – x64 (another)’ https://t.co/zHX3aq9PpM

Initially this DLL was going to write a log where only accounts with elevated privileges could access and write, then it changed it by running a command from the command prompt as administrator.

Here is the video showing the operation live:

As BleepingComputer also reports, this type of attack can be exploited to penetrate the corporate network using “edge” computers as a bridgehead. So let’s see how to alleviate the problem.

How to alleviate the problem?

Disable the print spooler

By disabling the spooler, of course, it will no longer be possible to launch prints or scans on the computer. To do this, run these commands from a command prompt as administrator (or powershell):

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Disable RCP and SMB ports

An additional step could be to disable the ports that can be used during the attack, namely the RPC and SMB ports. To do this, make sure to block ports 135 TCP for RPC and 139/145 TCP for SMB.

The best solution, however, is to act on group policies, both at the client and server level.

Define the selection and printing of the package

As mentioned, the most efficient and recommended method is to set the “Select and Print Package – Trusted Servers” policy.

This policy prevents a standard user (that is, a non-administrator) from installing print drivers other than the print server defined in the policy itself.

The full path, accessible by the command gpedit.msc, And:

Configurazione Utente > Modelli amministrativi > Pannello di Controllo > Stampanti >  Pacchetto di selezione e stampa - server approvati 

Street: Before Christ