Last week Microsoft advised Windows consumers about vulnerabilities in the Windows Print Spooler service- CVE-2 021 -1 675 and CVE-2 021 -3 4527( also known as PrintNightmare ). Both vulnerabilities can be used by an attacker with a regular consumer account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.
Kaspersky products protect against strikes leveraging these vulnerabilities. The following detecting names are applied 😛 TAGEND
HEUR: Exploit.Win3 2. CVE-2 021 -1 675.* HEUR:Exploit.Win32.CVE-2021-34527.* HEUR: Exploit.MSIL.CVE-2 021 -3 4527.* HEUR:Exploit.Script.CVE-2021-34527.* HEUR: Trojan-Dropper.Win3 2. Pegazus.gen PDM:Exploit.Win32.Generic PDM: Trojan.Win3 2. Generic Exploit.Win32.CVE-2021-1675.* Exploit.Win6 4. CVE-2 021 -1 675.*
Our detection logic is also successfully blocks attempt technique from the latest Mimikatz framework v. 2.2.0 -2 0210707.
We are closely monitoring the situation and improving generic detection of these vulnerabilities applying our Behavior Detection and Exploit Prevention ingredients. As part of our Managed Detection and Response service Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such strikes and report to customers.
Technical details CVE-2021-34527
When using RPC protocols to add a new printer( RpcAsyncAddPrinterDriver[ MS-PAR] or RpcAddPrinterDriverEx[ MS-RPRN ]) a client has to provide multiple parameters to the Print Spooler service 😛 TAGEND
pDataFile- a path to a data file for this printer; pConfigFile- a route to a configuration file for this printer; pDriverPath- a route to a motorist file that’s used by this printer while it’s working.
The service builds several checks to ensure pDataFile and pDriverPath are not UNC paths, but there is no corresponding check for pConfigFile, intending the service will copy the configuration DLL to the folder% SYSTEMROOT %\ system3 2 \ spool \ motorists \ x64 \ 3 \( on x64 versions of the OS ).
Now, if the Windows Print Spooler service tries to add a printer again, but this time specifies pDataFile to the facsimile DLL path( from the previous step ), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These techniques can be used by a low-privileged account, and the DLL is loaded by the NT AUTHORITY \ SYSTEM group process.
The local version of PrintNightmare uses the same method for exploitation as CVE-2 021 -3 4527, but there’s a difference in the entrypoint part( AddPrinterDriverEx ). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.
Quoting Microsoft( as of July 7th, 2021 ): “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service incapacitated. The recommended way to do this is using a Group Policy Object( GPO ). While this security appraisal concentrates on domain controllers, any server is potentially at risk to this type of attack .”