Last month, cybersecurity experts inadvertently unveiled a PoC exploit for a dangerous problem related to the Windows Print Spooler service, which is a universal interface between OS, applications and local or network printers, allowing application developers to submit print jobs.As a result, an emergency patch was released for the vulnerability, which was criticized by experts for its inefficiency, but Microsoft said that the fix worked as it should.
However, as Bleeping Computer now reports, the problems with Windows Print Spooler are not over. Security researcher and creator of Mimikatz Benjamin Delpy said that he found a way to abuse the usual method of installing printer drivers in Windows and gain SYSTEM privileges using malicious drivers. Moreover, this method works even if administrators have taken Microsoft-recommended mitigation measures by limiting the installation of printer drivers and disabling Point and Print.
#printnightmare – Episode 3
You know that even patched, with default config (or security enforced with #Microsoft settings), a standard user can load drivers as SYSTEM?
— 🥝 Benjamin Delpy (@gentilkiwi) July 15, 2021
While the new local privilege escalation method is different from the exploit called PrintNightmare, Delpy says these are very similar bugs that should be treated altogether.
The expert explains that in the past, Microsoft has tried to prevent such attacks by dropping support for version 3 printer drivers, but this eventually caused problems, and Microsoft abandoned the idea in June 2017.
Unfortunately, this problem will most likely never be fixed because Windows must allow an administrator to install printer drivers, even if they might be malicious. In addition, Windows should allow non-administrator users to install signed drivers on their devices for ease of use. Namely, these nuances were abused by Delpy.
It is also worth mentioning that this week Microsoft shared its recommendations for fixing the new Print Spooler vulnerability, which has the identifier CVE-2021-34481. The problem is also related to privilege escalation through Print Spooler, and it was discovered by Dragos specialist Jacob Baines.
Unlike the PrintNightmare issue, this vulnerability can only be exploited locally for privilege escalation. Baines points out that CVE-2021-34481 and PrintNightmare are not related and represent different bugs.
Little is currently known about this issue, including which versions of Windows are vulnerable to it. Baines only says that the bug is somehow connected with the printer driver, and the researcher promises to tell all the details on August 7, during a speech at the DEF CON conference.
Currently, Microsoft simply recommends disabling Print Spooler on the affected machine.