Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
The PrintNightmare vulnerability emerged as a Windows Print Spooler security flaw that was inadvertently disclosed by Chinese researchers. The vulnerability is described as a new Zero-Day security flaw that causes remote code execution on all Windows versions. At this point, we see that Windows operating systems are in danger due to a critical flaw that has emerged in the Windows Print Spooler service.
When the researchers at Sangfor published the POC, due to a mistake or some other reason, the code in the POC environment was opened to the public. Although it stayed online only for a short time, the test code was of course copied by many people.
The researchers had planned to detail multiple Zero Day vulnerabilities in the Windows Print Spooler service at the annual Black Hat security conference held later this month. However, after this mistake, the code was spread to everyone.
Threat actors can easily take over the corporate network using this vulnerability. The fact that they can gain control over the entire system by taking over the Windows domain server clearly shows how critical the problem is. The PrintNightmare vulnerability (Zero Day) published with the code CVE-2021-34527 allows attackers to execute remote code on Windows and has no patch. For this reason, it is described as a critical vulnerability.
The vulnerability allows attackers to use remote code execution, so that bad actors can potentially install malicious applications, modify data and create new accounts with full administrator rights. They can even take over an Active Directory machine on your network.
After the exploit code for the PrintNightmare vulnerability was made public, a detection tool was developed by the Privia Security Cyber Security Team for our enterprise customers. Thanks to this tool we have developed, in systems where the use of printer services is mandatory, it provides detection of the attack in the event that a possible attack attempt is detected.
Application and Source Codes: https://github.com/Privia-Security/PrintNightmareDetectionTool
On the Windows Server 2016 operating system, PrintService/Operational event logs come disabled by default. When the tool is first run, it enables the “PrintService/Operational” event logs, allowing the attack to be detected.
After launching the application with administrator privileges, it will create a powershell script named “enableSpoolerLog.ps1” in the directory where the application is running. Then this script file created in the working directory will be run via powershell and the log named “PrintService/Operational” will be enabled.
By default, the script allows logging at a size of 2056 KB. If you are using a print queuing service with very high throughput, we strongly recommend that you increase the file size.
After the application is run with administrator rights and logging for the Spooler service is enabled, the method named “StartEventLogHook” is triggered.
The StartEventLogHook method, as can be seen below, will start monitoring the specified log file by calling the EventLogWatcher class. When a new log is created in the system, the method named “OnEntryWritten” will be called.
After the method named OnEntryWritten is called, data is sent to the datagrid in the application interface so that it is displayed on the screen and the alert mechanism is triggered.
After the method named OnEntryWritten sends the data to the datagrid named detectionGrid, it performs a search among the Event IDs with the method named “SearchAttackInLog”, detecting the event with ID “316” belonging to the attack.
With the occurrence of the event log with Event ID 316, the attack will be detected and the details of this attack will be saved as a log file in the directory where the application is running.
The vulnerability allows attackers to use remote code execution, so that bad actors can potentially install malicious applications, modify data and create new accounts with full administrator rights. They can even easily take over an Active Directory machine on your network. The zero-day vulnerability PrintNightmare, which allows Remote Code Execution, is a critical Windows bug. It affects all Windows versions, including both endpoints and servers.
Microsoft acknowledges that “the code containing the vulnerability is present in all Windows versions”. It is stated that the Print Spooler service runs by default on Windows, including client versions of the operating system, Domain Controllers and many Windows Server instances.
First Method; Turn off the Print Spooler service wherever possible and limit access to Print Spooler services for systems where you cannot turn it off!
Second Method; You can disable print functions that may come from remote with group policy;
You can access the PrintNightmare Vulnerability Detection Tool and source code on our Github page.
https://github.com/Privia-Security/PrintNightmareDetectionTool
You May Be Interested In These
