Search
  • shane5412

Alert: Microsoft PrintNightmare Exploit

Critical flaw "PrintNightmare" is being exploited in the wild, according to Microsoft. What is the PrintNightmare Exploit? The "PrintNightmare" flaw is a remote code execution (RCE) vulnerability that affects Windows Print Spooler. Windows states that it has detected exploitation attempts targeting the flaw. From Microsoft Advisory: "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attack must involve an authenticated user calling RpcAddPrinterDriverEx()." CVEs to look out for Microsoft is currently tracking the vulnerability under CVE-2021-34527 and CVE-2021-1675. It has assigned it a severity rating of 8.8 on the CVSS scoring system. The vulnerability is in all versions of Windows and all are susceptible to exploitation. How to mitigate for this exploit The following PowerShell script by LaresLLC, can be used to detect and mitigate this vulnerability. # the script STOP and DISABLES Print Spooler service (aka #PrintNightmare) on each server from the list below IF ONLY DEFAULT PRINTERS EXIST. # revert if you need: go to services.msc, find the "print spooler" service, change startup type to "automatic" and start the service. # Source: https://github.com/gtworek/PSBits/blob/master/Misc/StopAndDisableDefaultSpoolers.ps1 # # Requirements RSAT # Get-Module -Name ActiveDirectory # Import-Module -Name ActiveDirectory $computers = Get-ADDomainController -filter * | %{ $_.name } foreach ($computer in $computers) { Write-Host "Processing $computer ..." $service = Get-Service -ComputerName $computer -Name Spooler -ErrorAction SilentlyContinue if (!$service) { Write-Host "Cannot connect to Spooler Service on $computer. Skipping." -ForegroundColor Yellow continue } if ($service.Status -ne "Running") { Write-Host ("Service status is: """ + $service.Status + """. Skipping.") -ForegroundColor Yellow continue } $printers = (Get-WmiObject -class Win32_printer -ComputerName $computer) if (!$printers) { Write-Host "Cannot enumerate printers. Skipping." -ForegroundColor Yellow continue } $disableSpooler = $true foreach ($DriverName in ($printers.DriverName)) { if (($DriverName -notmatch 'Microsoft XPS Document Writer') -and ($DriverName -notmatch 'Microsoft Print To PDF')) { Write-Host " Printer found: $DriverName" -ForegroundColor Green $disableSpooler = $false } } if ($disableSpooler) { Write-Host "Only default printers found. Stopping and disabling spooler..." -ForegroundColor DarkCyan (Get-Service -ComputerName $computer -Name Spooler) | Stop-Service -Verbose Set-Service -ComputerName $computer -Name Spooler -StartupType Disabled -Verbose } else { Write-Host "Non-default printers found. Skipping." -ForegroundColor Green } }

22 views0 comments

Recent Posts

See All

UPDATE: Microsoft PrintNightmare Exploit

Update 6 June 2021: Microsoft is tracking the PrintNightmare vulnerabilities under CVE-2021-34527. The company has released out-of-band updates to address remote code execution exploit in the Windows