Another zero-day vulnerability in Windows Print Spooler can give a threat actor local SYSTEM privilege on a Windows machine by loading files from a remote print server under the attacker’s control and the ‘Queue-Specific Files’ feature. Last month, a security researcher prematurely revealed a zero-day Windows print spooler vulnerability known as PrintNightmare that Microsoft tracks as CVE-2021-34527. Microsoft released a security update to fix the vulnerability, but researchers determined that the patch could be bypassed under certain conditions. Since the incomplete fix, security researchers have been heavily scrutinizing the Windows printing APIs and have found further vulnerabilities affecting the Windows print spooler. Security researcher and Mimikatz creator Benjamin Delpy has publicly disclosed a new zero-day vulnerability that allows a threat actor to easily achieve SYSTEM privileges on a Windows machine through a remote print server under their control. In a conversation with reporters, Delpy said that his exploit uses the ‘Queue-Specific Files’ feature of the Windows Point and Print capability to automatically download and execute a malicious DLL when a client connects to a print server under an attacker’s control. “At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue,” explains Microsoft’s documentation on the ‘Queue-Specific Files’ feature. “The files are downloaded to each client that connects to the print server.” To demonstrate the exploitation of the vulnerability, Delpy created a print server accessible over the Internet with two shared printers that use the queue-specific files feature.
Analyst Notes
The good news is that Delpy and Dormann have shared two methods that can be used to mitigate this new ‘Queue-specific files’ vulnerability.
Both methods are outlined in the CERT advisory.
Option 1: Block outbound SMB traffic at your network boundary
As Delpy’s public exploit uses a remote print server, network administrators can block outbound SMB traffic to prevent access to the remote computer. Blocking outbound SMB with limited exceptions, if needed, is a best practice and should be strongly considered by most organizations even after a patch for this vulnerability is available. However, Dormann states that the MS-WPRN can also be used to install drivers without using SMB, and threat actors could still use this technique with a local printer server.
Option 2: Configure PackagePointAndPrintServerList
A better way to prevent this exploit is to restrict Point and Print to a list of approved servers using the ‘Package Point and print – Approved servers’ group policy. This policy prevents non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list.
Using this group policy will provide the best protection against the known exploit.
CERT/CC Advisory: https://kb.cert.org/vuls/id/131152
Media reporting: https://www.bleepingcomputer.com/news/microsoft/new-windows-print-spooler-zero-day-exploitable-via-remote-print-servers/
