Discover more ways to attack the printing system in Windows
This technique can be used even if the administrator has applied the ways that Microsoft offers - restricting printer driver installation to administrators and turning off Point and Print.
Although this new local privilege escalation method is not the same as the PrintNightmare vulnerability attack method, Delpy gives the same name to similar printer driver installation errors.
BleepingComputer quoted Delpy as explaining that, even with attack mitigation measures in place, a threat actor can still create a signed malicious print driver package and use it to gain SYSTEM privileges on systems. other.
To do this, the threat agent creates a malicious print driver and signs it with a trusted Authenticode certificate.
However, some threat actors use the Rolls Royce method to sign drivers, i.e. buy or steal EV certificates. They will then impersonate a certain company to get WHQL authentication.
Once a signed printer driver package is available, the threat actor can install the driver on any networked device for which they have administrative privileges.
Next, threat actors can use this "pivot" device to gain SYSTEM privileges on other devices that they don't have elevated privileges for by installing malicious drivers, as shown in Fig. video below.
According to Delpy, the technique can be used to help threat actors spread maliciously widely within an already compromised network.
To prevent this attack, you can disable Print Spooler or enable Point and Print group policy to limit the servers from which the device can load print drivers.
However, enabling Point and Print will allow the PrintNightmare vulnerability to bypass Microsoft's current patch.
When asked how Microsoft could prevent this type of attack, Delpy said that they had previously tried to prevent it by deprecating the version 3 printer driver. This eventually caused problems and Microsoft ended its v3 deprecation policy in June 2017.
Unfortunately, this method probably won't fix the problem because Windows is designed to allow administrators to install printer drivers, even if that driver could be malicious. Furthermore, Windows is designed to allow non-administrators to install signed drivers on their devices for ease of use.
Instead, security software will likely be the primary defense against attacks like this, by detecting drivers or malicious behavior.
Currently, Microsoft has not responded to this issue.
Last month, security researchers accidentally disclosed an exploit of the PrintNightMare zero-day vulnerability.
Although Microsoft later released a security update to fix that vulnerability, security researchers confirmed that the patch could still be 'crossed'.
However, Microsoft claims that their patches still work as planned. Since the vulnerability is being heavily exploited, all Windows users are advised to install the update.
You should read it
- PrintNightMare vulnerability patch is flawed, attackers can still 'break through'
- Steps to fix PrintNightmare vulnerability on Windows 10
- Defender for Identity detects PrintNightmare vulnerability, reducing risk for Print Spooler
- What is 'Spooler SubSystem App' and why run on the computer?
- Steps to disable Print Spooler on Windows 10
- How to restart the Print Spooler service on Windows
- How to Fixed error 0x0000011b could not be printed when printing over the network
- 'Printer Catastrophe' Vulnerability Threatens All Versions of Windows
- Fix Printer Spooler error code 0x800706b9 on Windows 10
- How to fix Print Spooler Error on the printer
- How to set up paper duplex printing on Windows 11
- Fix the spooler print service service not running on Windows 10, 8.1, 7
Maybe you are interested
Driver Talent - Free Driver Updater
Intel releases new driver update package with 6GHz optimization and many other improvements
How to remove driver, delete driver in Windows 10, 11
How to reinstall audio driver on Windows 10, 11
How to update driver on Windows 10, 11
4 Ways to update Win 11 Driver, quick update tips