Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.
Last night, Microsoft released an out-of-band KB5004945 security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident last month.
After the update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability.
However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems only if the Point and Print policy is enabled.
The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector – however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). https://t.co/PRO3p99CFo
— Hacker Fantastic (@hackerfantastic) July 6, 2021
Today, as more researchers began modifying their exploits and testing the patch, it was determined that exploits could bypass the entire patch entirely to achieve both local privilege escalation (LPE) and remote code execution (RCE).
According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.
Dealing with strings & filenames is hard
New function in #mimikatz to normalize filenames (bypassing checks by using UNC instead of \servershare format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
— Benjamin Delpy (@gentilkiwi) July 7, 2021
Dormann also confirmed this patch bypass on Twitter.
To bypass the PrintNightmare patch and achieve RCE and LPE, a Windows policy called ‘Point and Print Restrictions’ must be enabled, and the “When installing drivers for a new connection” setting configured as “Do not show warning on elevation prompt.”
This policy is located under Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions.
When enabled, the ‘NoWarningNoElevationOnInstall‘ value will be set to 1 under the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint key.
Windows Registry Editor Version 5.00
Hickey told BleepingComputer that he is still advising admins and users to disable the Print Spooler service to protect their Windows servers and workstations until a working patch is released.
“We’re still advising our clients to disable the printer spooler wherever its not required until a fix arrives that addresses this issue appropriately,” Hickey told BleepingComputer.
0patch has also released a free micropatch for PrintNightmare that has so far been able to block attempts at exploiting the vulnerability.
However, they are warning against installing Microsoft’s July 6th patch as it not only doesn’t protect against the vulnerabilities but modifies the ‘localspl.dll’ file so 0Patch’s patch no longer works.
“If you’re using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn’t fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying,” tweeted the 0Patch service.
“We’ve decided not to port our PrintNightmare patches to the localspl.dll version brought by Microsoft’s out-of-band update from July 6, but will rather wait for Patch Tuesday that’ll hopefully fix the flawed IsLocalFile function, then we’ll port our patches to block local attacks”
Windows users and admins are advised to do one of the following:
- Do not install the July 6th patch and install 0Patch’s micropatch instead until a working patch from Microsoft is released.
- Disable the Print Spooler using the instructions here.
- Install Microsoft’s July 6th PrintNightmare patch and enable the ‘RestrictDriverInstallationToAdministrators‘ Registry value to only allow Administrators to install drivers to a printer server. You can find instructions on how to configure this Registry value in Microsoft’s support bulletin.
Microsoft has told BleepingComputer that they are investigating the claims of bypasses to their patch.
“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” Microsoft told BleepingComputer.
They also told BleepingComputer that the claims of bypasses are where an administrator changed default registry settings to an unsecure configuration and referred us to the CVE-2021-34527 advisory.
It is not clear if they refer to enabling Point and Print, and we have emailed them for clarification.
Microsoft said they would take appropriate action to protect their customers if investigations indicate there are further issues.
Understanding the PrintNightmare vulnerability
Matthew Hickey, aka Hacker Fantastic, was kind enough to take some time and chat with me today about the PrintNightmare vulnerability and how it works.
PrintNightmare is a vulnerability in the Windows Print Spooler that is caused by missing ACL (access control list) checks in the AddPrinterDriverEx (), RpcAddPrinterDriver (), and RpcAsyncAddPrinterDriver () Windows API functions used to install local or remote printer drivers to a print server.
Each of these functions are utilized through different Windows APIs, listed below:
- AddPrinterDriverEx (SDK)
- RpcAddPrinterDriver (MS-RPRN)
- RpcAsyncAddPrinterDriver (MS-PAR)
With PrintNightmare, a permission check can be bypassed to install a malicious DLL into the C:WindowsSystem32spooldrivers folder that is then loaded as a print driver by the exploit to achieve remote code execution or local privilege escalation.
“The API takes a user supplied argument as part of a permissions check when testing if it should permit installation of files into that folder with SYSTEM rights.”
“It doesn’t matter about the ACL’s on the folder, it’s specifically a check inside the software SDK which can be bypassed by supplying additional arguments to the function via an API call,” Hickey told BleepingComputer.
To exploit the vulnerability, requests can be sent directly to the local service via RPC or LRPC.
Microsoft’s OOB patch focused on blocking the remote exploitation of the vulnerability and only allowing non-Administrators to install a signed printer. The patch can also be configured using the ‘RestrictDriverInstallationToAdministrators’ to only allow Administrators to install a driver, further hardening security.
Hickey states that they did not address the underlying issue of a missing ACL check, thus allowing modified exploits to be created.
“The recent patch Microsoft released is focused on addressing the RCE exploit vector and seems to address the common PoC’s that float around, however as you can also reach this via LRPC and local API – depending on the host and circumstances, it appears the patch does not properly address the underlying problem in the ACL check which allows for exploitation still for LPE on a fully patched host,” explained Hickey.
This means that to bypass the RCE blocks, researchers had to find a method not defined by Microsoft’s block, such as Delpy’s use of a UNC path.
Update 7/7/21 5:05 PM EST: Added more information about the vulnerability and mitigations.
Update 7/7/21 8:28 PM EST: Clarified that the Point and Print policy must be enabled to exploit the vulnerability.
Update 7/7/21 8:51 PM EST: Added Microsoft’s statement.
Update 7/7/21 11:58 PM EST: Added information about the RestrictDriverInstallationToAdministrators Registry value.