Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say

Updated Any celebrations that Microsoft's out-of-band patch had put a stop PrintNightmare shenanigans may have been premature.

The emergency update turned up yesterday for a variety of Microsoft operating systems; little-used products like Windows Server 2012 and 2016 were excluded from the interim release.

While it initially appeared the remote-code execution (RCE) aspect of the security bug had been resolved, the local privilege escalation (LPE) hole remained, judging by the findings of a number of security researchers.

Then it got worse as demonstrations emerged apparently showing RCE and LPE were still possible on a fully patched server. That means it's still possible for an authenticated user to get admin-level privileges on a local or remote machine running the Windows print spooler service. Proof-of-exploit code is floating around the internet; miscreants just need to make use of UNC to bypass the patch.

Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\server\share format)

So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled

> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r

— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021

Mimikatz creator Benjamin Delpy, who is also responsible for the R&D Security Center at the Banque de France, shared a screenshot of a reversed-engineered Windows DLL with The Register and explained that the problem was down to how Microsoft was checking for remote libraries in its patch for PrintNightmare aka CVE-2021-34527.

• Microsoft patches PrintNightmare – even on Windows 7 – but the terror isn't over
• The PrintNightmare continues: Microsoft confirms presence of vulnerable code in all versions of Windows
• PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation
• Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller

"To determine if the library is remote or not," he told us, "Microsoft check if the filename start by \\, like in \\remoteserver\sharename\filename"

"But in fact, the is another filename convention that can be used for remote file like: \??\UNC\remoteserver\sharename\filename"

Delpy described the issue as "weird from Microsoft" and was blunt about how the fix made it out in that form, opining that he believed: "They did not test it for real."

To be fair to the Windows giant, we can imagine there was a good deal of consternation within its walls after the accidental disclosure of the PrintNightmare vulnerability. We asked Microsoft for its take on Delpy's findings, and Redmond is stone-walling.

PrintNightmare has proven to be, frankly, a nightmare for the IT giant's customers. Turning off the print spooler service on domain controllers and systems that do not print is the official guidance from Uncle Sam. Microsoft says about the same, and to install patches, with more info here.

In short, disable the vulnerable the print spooler service on your Windows systems to prevent exploitation.

This leaves networks with little choice. We've heard that the University of Reading in the UK, for one, pushed out a memo that read: "Please be advised that we have taken the difficult decision to disable all printing on the University's network, and from UoR devices printing at home."

"This renders all printing at the university, including locally connected USB printers, unusable," observed the Register reader who forwarded on the update to us. "Not without its problems."

The university has since begun pushing the patch out to PCs on its network. It may find itself having to push out a patch to patch the patch, in true Microsoft style. ®

Updated to add at 09:15 UTC on 8 July 2021:

A Microsoft spokesperson has been in touch to say the software firm is "aware of claims and are investigating, but at this time we are not aware of any bypasses.

"We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system."

They added: "If our investigation identifies additional issues, we will take action as needed to help protect customers."

In other words, if you have a default configuration and install the patch, you should be fine; if you deviate from the default, you may render your box vulnerable. Check the above link for the Registry keys and other requirements for what Microsoft says is a secure deployment – or just switch off print spooler and be done with it.