PrintNightmare - Using the print spooler service to attack systems

Summary: Well-meaning security researchers accidentally released code that allows attackers to run code on your Windows servers.
Update to article:

Microsoft released several patches that largely mitigate this threat.  The remote code execution (ability to run code on a target machine) looks to be fixed and the privilege escalation (run code as administrator while not administrator) is fixed for most systems.  Make sure you're patched!  It's best practice to disable the Print Spooler service on systems/servers that don't need to print as well.

What's PrintNightmare?

Security researchers like to think of neat names for exploits/attacks they discover before they release the information to the world.  PrintNightmare is aptly named due to this zero-day (means previously unknown and unpatched) attack that allows attackers to remotely run code as a privileged account.  It's a nightmare because this attack exploits the Print Spooler service that is enabled by default on all Windows computers.  Basically this attack doesn't do anything on its own but it allows the bad guys to easily gain access to a server and run whatever code they want on it.  The way the cybersecurity world is going this will likely be used for ransomware attacks very soon.

Normally security researchers will uncover something nasty like this and present it to others researchers and vendors at various conferences.  This gives everyone time to figure out how big a problem this is and gives the vendors time to release patches to fix the issue before the wider world learns about it.  In this case the researchers accidentally released their proof of concept code so the bad guys already have access to it.  This means the bad guys are already weaponizing this code before patches can be released.  The theoretical attack will be a real attack pretty soon.  Hopefully Microsoft will be released patches for this in the very near future.

Mitigating Factors:
  • If you're one of our clients, we've already contacted you and applied fixes for this.
  • This attack appears to require an authenticated connection to the server being attacked.  This generally means it has to come from a user computer rather than some random attacker out in the world.
Temporary fix for servers that don't handle printing:

If a server doesn't handle any print jobs, these commands can be run in Powershell as an administrator to disable the Print Spooler service.  If you're uncertain how to do this, contact us and we'll help.

Stop-Service -Name Spooler -Force 
Set-Service -Name Spooler -StartupType Disabled
Temporary Fix for Servers That Handle Printing:

Some servers have to print.  Such as print servers (of course) and remote desktop servers.  For these servers the Print Spooler service can't be disabled but you can limit what it can access.  This Powershell command should be run as an administrator.  It prevents anyone from adding DLLs/Drivers to the target directory so that even if the attacker is able to exploit PrintNightmare that can't leverage the attack.  Like above, this is something we can help with if you're not comfortable with it.  Contact us for help.

Note that the third block is all one line.  We had to split it up for formatting purposes.  There is no space between FilterSystemAccessrule and ("System".

$Path = "C:\Windows\System32\spool\drivers"

$ACL = Get-Acl $Path

$NewRule = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")

$ACL.AddAccessRule($NewRule)

Set-Acl $Path $ACL
Removing the temporary fix for servers that handle printing:

After Microsoft releases a (working) patching, the below commands can be run in Powershell as administrator to remove the temporary fix.  This can also be done if you need to add a new printer or printer drivers to the affected server.

Note, the third block is all one line.  Depending on what you're browsing with this line can get reformatted by your browser.

$Path = "C:\Windows\System32\spool\drivers"

$Acl = Get-Acl $Path

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")

$Acl.RemoveAccessRule($Ar)

Set-Acl $Path $Acl
Disclosures:
  • We are partners with Huntress.  Because they're awesome.
Sources:
in News