web analytics
Home » Technology » Microsoft » Windows » PrintNightmare Hack Gets Access To Admin Rights

PrintNightmare Hack Gets Access To Admin Rights

PrintNightmare

The Windows PrintNightmare vulnerability does not appear to have been completely closed yet. Although Microsoft recently released a patch, attackers can gain admin rights on a foreign system and take over the PC.

The hack was developed by Benjamin Delpy and tried out by BleepingComputer. A PC running Windows 10 21H1 was used in the test. By installing a compromised printer driver, it was possible to gain access to the computer. For this purpose, a print server that can be reached via the Internet was first set up. A manipulated driver that calls a DLL file was made available on the server. The DLL could bring up a shell with admin rights.

No admin login is required

The attack also works if the user is logged in with an account without admin rights. Normal accounts can also install drivers from a remote print server. The drivers will then be executed as usual with system rights.

The former zero-day vulnerability PrintNightmare was discovered in June and gives hackers the option to run malicious code on a remote device and gain privileges. A short time later, Microsoft published a security update that was supposed to close the gap. As a result, however, security researchers have already found out that the patch could be bypassed in the future under certain conditions with little effort.

After all, the malicious driver software does not go unnoticed. Windows Defender classifies the program as dangerous and issues a corresponding warning. However, the tool does not prevent the driver from being installed and executed at first.

Deactivate Services To Avoid Exploit

Until Microsoft has eliminated the problem, users can fall back on various workarounds to protect their computers. For example, the Windows print spooler service can be deactivated. Another option is to block RPC and SMB traffic on the network to prevent driver installation. In addition, the group policy “Package Point and print – Approved servers” can be configured to only allow connections to specific print servers.