Two days ago Microsoft released an out-of-band patch for the PrintNightmare Zero-day exploit that grants attackers full Remote Code Execution capabilities on fully patched Windows Print Spooler devices, and a day later several hackers showed that the patch could be easily bypassed.
Dealing with strings & filenames is hard?
New function in #mimikatz ?to normalize filenames (bypassing checks by using UNC instead of \servershare format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
— ? Benjamin Delpy (@gentilkiwi) July 7, 2021
If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE. https://t.co/RgIc1yrnhn pic.twitter.com/Ntxe9wpuke
— Will Dormann is not in Vegas (@wdormann) July 7, 2021
Microsoft has now issued a statement to BleepingComputer denying that the bypass presented a realistic threat, saying:
“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” continuing “We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system. ”
Microsoft presumably means enabling the installation of drivers without a warning, with the company insisting the default configuration is secure.
Microsoft says after applying the patch, make sure the following registry values (if they exist) are set to zero:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
What is clear is that you need more than the patch to be truly safe. Read Microsoft’s full configuration guidance here.