Yesterday Microsoft released an out-of-band patch for the PrintNightmare Zero-day exploit that grants attackers full Remote Code Execution capabilities on fully patched Windows Print Spooler devices.
It turns out however that the patch, which was released in record time, may be flawed.
Microsoft only fixed the remote code exploit, meaning the flaw could still be used for local privilege escalation. In addition hackers soon discovered that the flaw could still be exploited even remotely.
According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.
Dealing with strings & filenames is hard?
New function in #mimikatz ?to normalize filenames (bypassing checks by using UNC instead of \servershare format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
— ? Benjamin Delpy (@gentilkiwi) July 7, 2021
This bypass was confirmed by security researcher Will Dorman.
If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE. https://t.co/RgIc1yrnhn pic.twitter.com/Ntxe9wpuke
— Will Dormann (@wdormann) July 7, 2021
Currently, security researchers advise that admins keep Print Spooler service disabled until all the issues are fixed.
Read much more detail at BleepingComputer here.