Microsoft pushed an emergency update to Windows users yesterday for “PrintNightmare,” a zero-day vulnerability that allows attackers to remotely execute code with system privileges on various versions of the operating system. Unfortunately, users are beginning to learn that the update is only partially effective. As discovered by security researchers Matthew Hickey and Will Dormann, Microsoft only fixed the remote code execution component of the vulnerability, allowing threat actors to continue leveraging the exploit by using the local privilege escalation component to gain system privileges for both older and newer Windows versions. This is possible on the latter if the Point and Print policy is enabled. Admins and users are advised to leave the Print Spooler service disabled until Microsoft releases a more thorough patch, but 0patch’s micropatch has reportedly been effective at blocking the vulnerability.
The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector – however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). 🤦♂️ https://t.co/PRO3p99CFo— Hacker Fantastic (@hackerfantastic) July 6, 2021
Dealing with strings & filenames is hard😉— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\server\share format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
[…] as more researchers began modifying their exploits and testing the patch, it was determined that exploits could bypass the entire patch entirely to achieve both local privilege escalation (LPE) and remote code execution (RCE). According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.