It looks like the Print Spooler fiasco continues as more bugs surface online, triggering different attacks. Recently, a researcher has spotted another zero-day in Windows Print Spooler that an adversary may exploit to hack remote printers.
Print Spooler Zero-Day Bug Risks Remote Printers
Security researcher Benjamin Delpy has found a zero-day in Print Spooler triggering remote attacks. As per his findings, an adversary can easily target any Windows machine and gain SYSTEM access remotely via hacking the printer. It takes no driver installation nor any authentication to exploit the flaw.
#printnightmare – Episode 4
You know what is better than a Legit Kiwi Printer ?
?Another Legit Kiwi Printer…?No prerequiste at all, you even don't need to sign drivers/package? pic.twitter.com/oInb5jm3tE
— ? Benjamin Delpy (@gentilkiwi) July 16, 2021
According to Bleeping Computer, the bug exists in the “Queue-Specific Files” feature of the “Point and Pint” functionality of printers. Describing this feature, Microsoft states,
At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue.
Due to the flaw, the printer would execute malicious DLL when the attackers’ client would connect to the print server.
The researcher has demonstrated the exploit in a video by setting up a print server and connecting two printers.
Whereas he also created a test remote print server for anyone to check its printer for vulnerability.
Want to test #printnightmare (ep 4.x) user-to-system as a service??
(POC only, will write a log file to system32)connect to \https://t.co/6Pk2UnOXaG with
– user: .gentilguest
– password: passwordOpen 'Kiwi Legit Printer – x64', then 'Kiwi Legit Printer – x64 (another one)' pic.twitter.com/zHX3aq9PpM
— ? Benjamin Delpy (@gentilkiwi) July 17, 2021
Recommended Mitigations
As observed, this zero-day currently risks all existing versions of Windows. What makes this bug serious is its remote exploitability that may allow an adversary to spread laterally on the network.
Currently, no fix is available for it, and Microsoft hasn’t even announced any patches yet.
Nonetheless, the researcher has suggested some measures to mitigate the risks. These include,
- Disabling outbound access to CIFS/SMB/RPC
- Restricting the “Package point and print” to approved servers only, barring any unauthenticated users.
This vulnerability is different from the LPE flaw discovered recently and the chaotic PrintNightmare.
Let us know your thoughts in the comments.