Despite second patch, PrintNightmare is back again

Microsoft has been dealing with a vulnerability where hackers can take over PCs by installing compromised printer drivers for nearly a month now, but it seems the issue is more complex and deeper than even Microsoft anticipated.

Despite a recent patch which changed the defaults on Windows 10 and prevented Standard users from installing printer drivers, hackers have found a bypass which still allowed a privilege escalation for standard users.

Benjamin Delpy has shown that hackers can quickly gain SYSTEM privileges simply by connecting to a remote print server, by using the CopyFile registry directive to copy a DLL file that opens a command prompt to the client along with a print driver when you connect to a printer.

Microsoft has acknowledged the issue in advisory CVE-2021-36958, saying:

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The workaround for this vulnerability is stopping and disabling the Print Spooler service.

While Microsoft calls it a remote code execution vulnerability, the exploit appears to be a Local Privilege Escalation bug, which should at least provide some reassurance for network admins.

Microsoft is once again recommending that admins disable Print Spooler and thereby disabling printing from Windows. Another workaround, not recommended by Microsoft, is to limit the printers you can connect to to a specific list by using  ‘Package Point and print – Approved servers’ group policy. Read how to do that at BleepingComputer here.