Microsoft has released a notice of a new vulnerability in Print Spooler (CVE-2021-36958) that allows local attackers to gain system privileges on a computer.
The new vulnerability is related to other PrintNightmare bugs that exploit the configuration settings for Print Spooler, print drivers, anфd Windows Point and Print.
Microsoft previously released patches for PrintNightmare in July and August, but an issue originally discovered by researcher Benjamin Delpy still allows attackers to quickly gain System-level privileges by simply connecting to a remote print server.
Great #patchtuesday Microsoft, but did you not forgot something for #printnightmare? ?
Still SYSTEM from standard user…
(I may have missed something, but #mimikatz?mimispool library still loads… ?♂️) pic.twitter.com/OWOlyLWhHI
— ? Benjamin Delpy (@gentilkiwi) August 10, 2021
The vulnerability uses the CopyFile directive to copy a DLL file that opens a command prompt for the client along with the print driver when connected to a printer. Although Microsoft changed recent updates on installing a new printer driver so that it now requires administrator rights, these rights are not required to connect to the printer if the driver is already installed.
And if the driver already exists on the client side and therefore does not need to be installed, connecting to a remote printer will still trigger CopyFile without administrator rights. This vulnerability allows a DLL to be copied to the client side and run, open a command prompt with System privileges.
Microsoft has now issued a security notice announcing a new vulnerability in Print Spooler that is being tracked as CVE-2021-36958.
To protect against this problem, the company again recommends disabling Print Spooler.
Well-known cybersecurity expert and CERT/CC analyst Will Dormann told Bleeping Computer that the description of the CVE-2021-36958 vulnerability is fully consistent with the PoC exploit that Delpy posted on Twitter on August 10.
Also, journalists noticed that Microsoft classified this vulnerability as a problem of remote code execution, although the attack must be performed locally. Will Dorman confirms that this is clearly a local privilege escalation (based on a CVSS score of 7.3/6.8). The expert believes that the security bulletin will be updated in the coming days.