While the patch for CVE-2021-1675 also protects against PrintNightmare on most Windows devices, it didn\u2019t do so for domain controllers, which caused some puzzlement among security researchers. Until today, when Yunhai Zhang of Tianji Lab discovered a potential cause:<\/p>\n
\nBecause you have Builtin\\Pre-Windows 2000 Compatible Access group when logon to DC.<\/p>\n
\u2014 Yunhai Zhang (@_f0rgetting_) July 1, 2021<\/a><\/p><\/blockquote>\n
The Pre-Windows 2000 Compatible Access Group exists for backwards compatibility with Windows NT boxes and appears to be populated with authenticated users by default in new Windows Server deployments. As Windows Server blogger Dion Mosley explained<\/a>: \u201cMembers of this group have Read access for viewing all users and groups within the domain. Depending on the security settings chosen during the installation of Active Directory, the Everyone group might be a member of this group.\u201d<\/p>\n
Mimikatz maintainer Benjamin Delpy confirmed Zhang\u2019s findings to The Register<\/i>, saying: “I can confirm that if we remove \u2018authenticated users\u2019 from this group (leaving it empty after), it stops the exploit.” In short, membership of that group is an ingredient of the PrintNightmare exploit mechanism, and knowing that could at least help infosec and sysadmin folks better understand the underlying software bug. Delpy also tweeted a GIF showing the mitigation in action:<\/p>\n
\nThanks to @_f0rgetting_<\/a> we have an explanation about why we have an Elevated Token (allowing #PrintNightmare<\/a> on patched domain controllers): legacy\n<\/p>\n
If you remove “Authenticated users” from “Builtin\\Pre-Windows 2000 Compatible Access”, the original Microsoft Patch works again\ud83e\udd29 https:\/\/t.co\/StvDdEWoog<\/a> pic.twitter.com\/h5IGJ0slpZ<\/a><\/p>\n
\u2014 \ud83e\udd5d Benjamin Delpy (@gentilkiwi) July 1, 2021<\/a><\/p><\/blockquote>\n
At the time of writing it is not clear what side effects removing \u201ceveryone\u201d from the Pre-Windows 2000 Compatible Access Group will have. It may be wise to wait and see before dashing in and potentially causing problems elsewhere on your domain.<\/p>\n
Infosec researcher Dirk-Jan Mollema tweeted<\/a>: \u201cBefore you all go apply this I’d wait for some people who’ve actually worked with this and can tell the potential impact though.\u201d<\/p>\n
\nMeanwhile,<\/b> the US government’s Cybersecurity and Infrastructure Agency recommends<\/a> disabling the Windows Print spooler service in domain controllers and hosts that do not print.<\/p>\n<\/div>\n
Microsoft still hasn\u2019t responded to The Register<\/i>\u2019s questions about the vuln nor has it said that a patch is being worked on.<\/p>\n
Sangfor Technologies researchers published the zero-day proof-of-concept exploit as part of a blog post discussing a vuln they had found in Windows\u2019 print spool service. Wrongly believing that a very closely related and recently patched flaw (CVE-2021-1675) was the same as their zero-day, they dropped the code in public.<\/p>\n
Despite their trying to retract it a day later, the PrintNightmare exploit had, by that point, been forked and cached just about everywhere, as we reported<\/a>.<\/p>\n
The exploit itself allows a low-privileged user on an Active Directory domain to use Windows\u2019 Print Spooler service to run code as SYSTEM on vulnerable hosts. Anyone who obtains ordinary user credentials for a device on that network could potentially run malicious code on the domain controller, compromising the whole domain in one go. That is a very bad thing. \u00ae<\/p>\n