Microsoft struggles to wake from its PrintNightmare: Latest print spooler patch can be bypassed, researchers say

Any celebrations that Microsoft’s out-of-band patch had put a stop PrintNightmare shenanigans may have been premature.

The emergency update turned up yesterday for a variety of Microsoft operating systems; little-used products like Windows Server 2012 and 2016 were excluded from the interim release.

While it initially appeared the remote-code execution (RCE) aspect of the security bug had been resolved, the local privilege escalation (LPE) hole remained, judging by the findings of a number of security researchers.

Then it got worse as demonstrations emerged apparently showing RCE and LPE were still possible on a fully patched server. That means it’s still possible for an authenticated user to get admin-level privileges on a local or remote machine running the Windows print spooler service. Proof-of-exploit code is floating around the internet; miscreants just need to make use of UNC to bypass the patch.

Mimikatz creator Benjamin Delpy, who is also responsible for the R&D Security Center at the Banque de France, shared a screenshot of a reversed-engineered Windows DLL with The Register and explained that the problem was down to how Microsoft was checking for remote libraries in its patch for PrintNightmare aka CVE-2021-34527.

“To determine if the library is remote or not,” he told us, “Microsoft check if the filename start by \\, like in \\remoteserver\sharename\filename”

“But in fact, the is another filename convention that can be used for remote file like: \??\UNC\remoteserver\sharename\filename”

Delpy described the issue as “weird from Microsoft” and was blunt about how the fix made it out in that form, opining that he believed: “They did not test it for real.”

To be fair to the Windows giant, we can imagine there was a good deal of consternation within its walls after the accidental disclosure of the PrintNightmare vulnerability. We asked Microsoft for its take on Delpy’s findings, and Redmond is stone-walling.

PrintNightmare has proven to be, frankly, a nightmare for the IT giant’s customers. Turning off the print spooler service on domain controllers and systems that do not print is the official guidance from Uncle Sam. Microsoft says about the same, and to install patches, with more info here.

In short, disable the vulnerable the print spooler service on your Windows systems to prevent exploitation.

This leaves networks with little choice. We’ve heard that the University of Reading in the UK, for one, pushed out a memo that read: “Please be advised that we have taken the difficult decision to disable all printing on the University’s network, and from UoR devices printing at home.”

“This renders all printing at the university, including locally connected USB printers, unusable,” observed the Register reader who forwarded on the update to us. “Not without its problems.”

The university has since begun pushing the patch out to PCs on its network. It may find itself having to push out a patch to patch the patch, in true Microsoft style. ®

READ MORE HERE