The official patch for the PrintNightmare vulnerability was ineffective

Earlier this week, the company released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe).

Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

Currently, patches are available for all versions of Windows, including even Windows 7:

Windows 10 21H1 ( KB5004945 )
Windows 10 20H1 ( KB5004945 )
Windows 10 2004 ( KB5004945 )
Windows 10 1909 ( KB5004946 )
Windows 10 1809 and Windows Server 2019 ( KB5004947 )
Windows 10 1803 ( KB5004949 )
Windows 10 1607 and Windows Server 2016 ( KB5004948 )
Windows 10 1507 ( KB5004950 )
Windows Server 2012 ( KB5004956 / KB5004960 )
Windows 8.1 and Windows Server 2012 R2 ( KB5004954 / KB5004958 )
Windows 7 SP1 and Windows Server 2008 R2 SP1 ( KB5004953 / KB5004951 )
Windows Server 2008 SP2 ( KB5004955 / KB5004959 ).

At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT / CC.

The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector – however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). 🤦‍♂️ https://t.co/PRO3p99CFo
— hackerfantastic.crypto (@hackerfantastic) July 6, 2021

As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be bypassed completely and exploit the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.

Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.

Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \servershare format)

So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled

> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
— 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021

Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available). Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and you can use it. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, meaning 0patch can only be applied instead of the official one.

Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.