Microsoft’s print nightmare continues with another example of how a threat actor can achieve SYSTEM privileges by abusing malicious printer drivers.
Last month, security researchers accidentally disclosed a proof-of-concept exploit for the Windows PrintNightmare zero-day.
This vulnerability is tracked as CVE-2021-34527 and is a missing permission check in the Windows Print Spooler that allows for installing malicious print drivers to achieve remote code execution or local privilege escalation on vulnerable systems.
Microsoft released an out-of-band KB5004945 security update that was supposed to fix the vulnerability, but security researchers quickly determined that the patch could be bypassed under certain conditions.
However, Microsoft stated that their patches worked as intended, and as the vulnerability was being actively exploited, advised all Windows users to install the update.
The print nightmare continues
Yesterday, security researcher and Mimikatz creator Benjamin Delpy said he found a way to abuse Windows’ normal method of installing printer drivers to gain local SYSTEM privileges through malicious printer drivers.
This technique can be used even if admins applied Microsoft’s recommended mitigations of restricting printer driver installation to admins and disabling Point and Print.
#printnightmare – Episode 3
You know that even patched, with default config (or security enforced with #Microsoft settings), a standard user can load drivers as SYSTEM?
– Local Privilege Escalation – windows print nightmare continues malicious driver packages microsoft hacking cybersecurity cybersecurity infosecurity hacker
