Microsoft's Out-of-Band fix for PrintNightmare already by-passed by hackers
1 min. read
Published on
Share this article
Improve this guide
Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more
Yesterday Microsoft released an out-of-band patch for the PrintNightmare Zero-day exploit that grants attackers full RemoteĀ Code Execution capabilities on fully patched Windows Print Spooler devices.
It turns out however that the patch, which was released in record time, may be flawed.
Microsoft only fixed the remote code exploit, meaning the flaw could still be used for local privilege escalation. In addition hackers soon discovered that the flaw could still be exploited even remotely.
According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.
Dealing with strings & filenames is hard?
New function in #mimikatz ?to normalize filenames (bypassing checks by using UNC instead of \servershare format)So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
— ????? Benjamin Delpy (@gentilkiwi) July 7, 2021
This bypass was confirmed by security researcher Will Dorman.
Confirmed.
If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE. https://t.co/RgIc1yrnhn pic.twitter.com/Ntxe9wpuke— Will Dormann (@wdormann) July 7, 2021
Currently, security researchers advise that admins keep Print Spooler service disabled until all the issues are fixed.
Read much more detail at BleepingComputer here.
User forum
0 messages