Discover more ways to attack the printing system in Windows

This technique can be used even if the administrator has applied the ways that Microsoft offers - restricting printer driver installation to administrators and turning off Point and Print.

Although this new local privilege escalation method is not the same as the PrintNightmare vulnerability attack method, Delpy gives the same name to similar printer driver installation errors.

BleepingComputer quoted Delpy as explaining that, even with attack mitigation measures in place, a threat actor can still create a signed malicious print driver package and use it to gain SYSTEM privileges on systems. other.

To do this, the threat agent creates a malicious print driver and signs it with a trusted Authenticode certificate.

However, some threat actors use the Rolls Royce method to sign drivers, i.e. buy or steal EV certificates. They will then impersonate a certain company to get WHQL authentication.

Once a signed printer driver package is available, the threat actor can install the driver on any networked device for which they have administrative privileges.

Next, threat actors can use this "pivot" device to gain SYSTEM privileges on other devices that they don't have elevated privileges for by installing malicious drivers, as shown in Fig. video below.

According to Delpy, the technique can be used to help threat actors spread maliciously widely within an already compromised network.

To prevent this attack, you can disable Print Spooler or enable Point and Print group policy to limit the servers from which the device can load print drivers.

However, enabling Point and Print will allow the PrintNightmare vulnerability to bypass Microsoft's current patch.

When asked how Microsoft could prevent this type of attack, Delpy said that they had previously tried to prevent it by deprecating the version 3 printer driver. This eventually caused problems and Microsoft ended its v3 deprecation policy in June 2017.

Unfortunately, this method probably won't fix the problem because Windows is designed to allow administrators to install printer drivers, even if that driver could be malicious. Furthermore, Windows is designed to allow non-administrators to install signed drivers on their devices for ease of use.

Instead, security software will likely be the primary defense against attacks like this, by detecting drivers or malicious behavior.

Currently, Microsoft has not responded to this issue.

Last month, security researchers accidentally disclosed an exploit of the PrintNightMare zero-day vulnerability.

Although Microsoft later released a security update to fix that vulnerability, security researchers confirmed that the patch could still be 'crossed'.

However, Microsoft claims that their patches still work as planned. Since the vulnerability is being heavily exploited, all Windows users are advised to install the update.

Kareem Winters

Update 16 July 2021