There is a new high severity vulnerability dubbed Print Nightmare, which exploits a vulnerability in the Print Spooler service. This vulnerability can provide full domain access to a domain controller under a System context. To be able to use this exploit it requires that you authenticate as a domain user. The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system
PrintNightmare is not the same not the same as CVE-2021-1675, which was fixed in the patch in June, there is currently no patch available for PrintNightmare .The critical part is for Print Servers / Domain Controller and other servers with a LOCAL privilege escalation such as Citrix / VMware or other terminal services.
PrintNightmare can be exploited by a malicious or compromised authenticated user to execute code at the SYSTEM level on a remote domain controller via the vulnerable Windows Print Spooler service running on that box. PrintNightmare may affect more than just domain controllers. Any Windows installation running the vulnerable print spooler service may potentially be at risk; domain controllers are a more valuable target, For all systems where the print spooler service is not required (it is enabled by default) remember to disable the service
The exploit works by dropping a DLL in a subdirectory under C:\Windows\System32\spool\drivers
Workaround Till Patch available
$Path = "C:\Windows\System32\spool\drivers" $Acl = Get-Acl $Path $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny") $Acl.AddAccessRule($Ar) Set-Acl $Path $Acl
If you haven’t installed the latest Patch of Windows updates on your system, do so now and disable the print spool service at least in domain controllers till you get a clear picture until Microsoft releases the patch.
4 thoughts on “PrintNightmare”