Microsoft released emergency fixes earlier this week to address the “PrintNightmare” remote code execution exploit affecting all versions of Windows, but it looks like the out-of-band updates still leave some holes in the wall. Since Microsoft published the fixes, several security researchers have shown that it was still possible to exploit the vulnerability on patched systems and servers (via Bleeping Computer).
The PrintNightmare security flaw is a remote code execution vulnerability affecting the Windows Print Spooler service, a component that manages the printing process on Windows PCs inside local networks. Yesterday Benjamin Delpy, a Windows security expert and a developer of the network utility Mimikatz, showed a remote code execution (RCE) and local privilege escalation (LPE) exploit on a patched Windows Server 2019 with the Point and Print technology enabled.
Dealing with strings & filenames is hard????
New function in #mimikatz ????to normalize filenames (bypassing checks by using UNC instead of \servershare format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
— ????????️???? Benjamin Delpy (@gentilkiwi) July 7, 2021
Point and Print is an old Microsoft technology that allows Windows users to connect to a remote printer while downloading all necessary files and configuration information from the print server. “Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible,” Microsoft acknowledged in its Security Advisory for PrintNightmare.
Along with the release of its emergency fixes on Tuesday, Microsoft also provided IT admins a new way to restrict the installation of new printer drivers for non-administrators. However, the Point and Print technology, which can be disallowed for non-administrators is apparently still problematic and should require more investigation work from Microsoft. Speaking with Bleeping Computer, Microsoft said that “We’re aware of claims and are investigating, but at this time we are not aware of any bypasses.”