[ad_1]
Microsoft’s printing nightmare continues with another example of how a malicious actor can gain SYSTEM privileges by abusing malicious printer drivers.
Last month, security researchers accidentally revealed a proof-of-concept exploit for Windows PrintNightmare zero-day.
This vulnerability is tracked as CVE-2021-34527 and is a missing permission check in Windows print spooler that allows installing malicious print drivers to achieve remote code execution or elevation of files. local privileges on vulnerable systems.
Microsoft released an out-of-band security update KB5004945 that was supposed to fix the vulnerability, but security researchers quickly determined that the patch could be circumvented under certain conditions.
However, Microsoft said their fixes were working as expected, and because the vulnerability was being actively exploited, they advised all Windows users to install the update.
The nightmare of printing continues
Yesterday, security researcher and creator of Mimikatz Benjamin Delpy stated that he found a way to abuse the normal Windows printer driver installation method to gain local SYSTEM privileges through malicious printer drivers.
This technique can be used even if administrators have applied the Microsoft recommended mitigation measures of restricting printer driver installation to administrators and disabling pointing and printing.
#nightmare print – Episode 3
You know that even patched, with the default configuration (or enhanced security with #Microsoft parameters), a standard user can load drivers as SYSTEM?
– Escalation of local privileges – #feature pic.twitter.com/Zdge0okzKi
– Benjamin Delpy (@gentilkiwi) July 15, 2021
While this new method of local privilege escalation is not the same as what is commonly referred to as PrintNightmare, Delpy told BleepingComputer that he considers similar printer driver installation bugs to be classified under the same name.
In a conversation with BleepingComputer, Delpy explained that even with mitigation measures applied, a malicious actor could create a signed malicious print driver package and use it to gain SYSTEM privileges on other systems.
To do so, the malicious actor would create a malicious print driver and sign it using a trusted Authenticode certificate by following these steps
However, some threat actors are opting for the “Rolls Royce” method of signing pilots, which involves buying or stealing an EV certificate and then submitting it for Microsoft WHQL validation as a bogus company.
Once they have a signed printer driver package, a malicious actor can install the driver on any other network device to which they have administrative privileges.
Threat actors can then use this “hub” device to gain SYSTEM privileges on other devices on which they do not have elevated privileges by simply installing the malicious driver, as shown in the video below.
Delpy said the technique could be used to help threat actors spread laterally through an already compromised network.
To prevent this attack, you can turn off the print spooler or turn on the Point and Print Group Policy to limit the servers that a device can download for print drivers.
However, enabling Point and Print would allow PrintNightmare exploits to bypass Microsoft’s current patch.
When asked how Microsoft could prevent this type of attack, Delpy said he tried to prevent it in the past by deprecating version 3 printer drivers. In the end, this caused problems. and Microsoft ended the v3 depreciation policy in June 2017.
Unfortunately, this method is unlikely to be fixed because Windows is designed to allow an administrator to install a printer driver, even those that may be malicious. Additionally, Windows is designed to allow non-administrator users to install signed drivers on their devices for ease of use.
Instead, security software will likely be the primary defense against such attacks by detecting the driver or malicious behavior.
BleepingComputer has contacted Microsoft regarding the issue but has not received a response.
[ad_2]
Source link