fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft’s Incomplete PrintNightmare Patch Fails to Fix Vulnerability

Microsoft’s Incomplete PrintNightmare Patch Fails to Fix Vulnerability

Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.

Last night, Microsoft released an out-of-band KB5004945 security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident last month.

After the update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability.

However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems only if the Point and Print policy is enabled.

Today, as more researchers began modifying their exploits and testing the patch, it was determined that exploits could bypass the entire patch entirely to achieve both local privilege escalation (LPE) and remote code execution (RCE).

According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.

Dormann also confirmed this patch bypass on Twitter

To bypass the PrintNightmare patch and achieve RCE and LPE, a Windows policy called ‘Point and Print Restrictions’ must be enabled, and the “When installing drivers for a new connection” setting configured as “Do not show warning on elevation prompt.”

Point and Print restrictions policy

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

This policy is located under Computer Configuration > Administrative Templates > Printers Point and Print Restrictions.

When enabled, the ‘NoWarningNoElevationOnInstall‘ value will be set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
“NoWarningNoElevationOnInstall”=dword:00000001

Hickey told BleepingComputer that he is still advising admins and users to disable the Print Spooler service to protect their Windows servers and workstations until a working patch is released.

“We’re still advising our clients to disable the printer spooler wherever its not required until a fix arrives that addresses this issue appropriately,” Hickey told BleepingComputer.

0patch has also released a free micropatch for PrintNightmare that has so far been able to block attempts at exploiting the vulnerability.

However, they are warning against installing Microsoft’s July 6th patch as it not only doesn’t protect against the vulnerabilities but modifies the ‘localspl.dll’ file so 0Patch’s patch no longer works.

“If you’re using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn’t fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying,” tweeted the 0Patch service.

“We’ve decided not to port our PrintNightmare patches to the localspl.dll version brought by Microsoft’s out-of-band update from July 6, but will rather wait for Patch Tuesday that’ll hopefully fix the flawed IsLocalFile function, then we’ll port our patches to block local attacks”

Windows users and admins are advised to do one of the following:

Microsoft has told BleepingComputer that they are investigating the claims of bypasses to their patch.

“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” Microsoft told BleepingComputer.

They also told BleepingComputer that the claims of bypasses are where an administrator changed default registry settings to an unsecure configuration and referred us to the CVE-2021-34527 advisory.

It is not clear if they refer to enabling Point and Print, and we have emailed them for clarification.

Microsoft said they would take appropriate action to protect their customers if investigations indicate there are further issues.

Understanding the PrintNightmare vulnerability

Matthew Hickey, aka Hacker Fantastic, was kind enough to take some time and chat with me today about the PrintNightmare vulnerability and how it works.

PrintNightmare is a vulnerability in the Windows Print Spooler that is caused by missing ACL (access control list) checks in the AddPrinterDriverEx (), RpcAddPrinterDriver (), and RpcAsyncAddPrinterDriver () Windows API functions used to install local or remote printer drivers.

Each of these functions are utilized through different Windows APIs, listed below:

  • AddPrinterDriverEx (SDK)
  • RpcAddPrinterDriver (MS-RPRN)
  • RpcAsyncAddPrinterDriver (MS-PAR

With PrintNightmare, a permission check can be bypassed to install a malicious DLL into the C:\Windows\System32\spool\drivers folder that is then loaded as a print driver by the exploit to achieve remote code execution or local privilege escalation.

“The API takes a user supplied argument as part of a permissions check when testing if it should permit installation of files into that folder with SYSTEM rights.”

“It doesn’t matter about the ACL’s on the folder, it’s specifically a check inside the software SDK which can be bypassed by supplying additional arguments to the function via an API call,” Hickey told BleepingComputer.

Also Read: Data Protection Officer Singapore | 10 FAQs

To exploit the vulnerability, requests can be sent directly to the local service via RPC or LRPC.

While Microsoft’s OOB patch focused on blocking the remote exploitation of the vulnerability, Hickey states that they did not address the underlying ACL check allowing for modified exploits to be created.

“The recent patch Microsoft released is focused on addressing the RCE exploit vector and seems to address the common PoC’s that float around, however as you can also reach this via LRPC and local API – depending on the host and circumstances, it appears the patch does not properly address the underlying problem in the ACL check which allows for exploitation still for LPE on a fully patched host,” explained Hickey.

This means that to bypass the RCE blocks, researchers had to find a method not defined by Microsoft’s block, such as Delpy’s use of a UNC path.

Update 7/7/21 5:05 PM EST: Added more information about the vulnerability and mitigations.
Update 7/7/21 8:28 PM EST: Clarified that the Point and Print policy must be enabled to exploit the vulnerability.
Update 7/7/21 8:51 PM EST: Added Microsoft’s statement.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us