It hasn’t been long since Microsoft patched the infamous PrintNightmare security vulnerabilities. In fact, the tech giant has recently released some more patches with August Patch Tuesday updates. However, it seems it has more to do as the tech giant has shed light on another Print Spooler zero-day.
Another Print Spooler Zero-Day Revealed
Microsoft has recently issued an advisory about another zero-day vulnerability affecting Windows Print Spooler.
As elaborated, the vulnerability (CVE-2021-36958) can lead to remote code execution attacks upon an exploit.
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This vulnerability again compels the users to disable the Print Spooler service since no fix is presently available. In turn, users would face trouble during print operations both locally or remotely.
Fix Not Available, But PoC’s Are
The tech giant has credited Victor Mata for reporting this vulnerability. The researcher has also discovered and reported another to Microsoft, as he stated in the latest tweet. But he awaits official patches to reveal the technical details of both.
Nonetheless, another researcher, Benjamin Delpy, has separately found and demonstrated the exploit whilst highlighting the PrintNightmare fiasco in various tweets.
Want to test #printnightmare (ep 4.x) user-to-system as a service??
(POC only, will write a log file to system32)
connect to \https://t.co/6Pk2UnOXaG with
– user: .gentilguest
– password: password
Open 'Kiwi Legit Printer – x64', then 'Kiwi Legit Printer – x64 (another one)' pic.twitter.com/zHX3aq9PpM
— ? Benjamin Delpy (@gentilkiwi) July 17, 2021
Another researcher has also come up with a CERT elaborating this exploit further. As stated in it,
While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a
CopyFilesdirective for arbitrary files. These files, which may be copied over alongside the digital-signature-enforced printer driver files are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. The remote printer can also be configured to automatically execute code in any files dropped by the
CopyFilesdirective. This can allow for LPE to
SYSTEMon a vulnerable system.
All in all, users seemingly have only one option for now to protect their printers and the subsequent mess – to disable Print Spooler – until a fix arrives.