Share this page!

Will Dormann Profile picture
Twitter logo
30 Jun, 6 tweets, 3 min read
This is very important!

If you have the "Print Spooler" service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller.

Stop and Disable the service on any DC now!
Log entries in Microsoft-Windows-PrintService/Admin might be a good place to look for evidence of exploitation.
Here, despite the "failed to load" error, is what was generated when I loaded main64.dll off of a remote SMB share using this exploit.
Note that looking for this will only find lazy attackers. The only reason that I saw this in my initial test is because the main64.dll that I used made no attempt to look like what the print spooler is looking for.
If the attacker loads a sane-looking DLL, no error is logged.
For example, here's the result of using a "real" printer driver DLL that just happens to have the value-add of launching calc.exe
No warnings or errors in Windows Event viewer
I've published a vulnerability note on this. I suspect that Microsoft will need to issue a new CVE to capture what PrintNightmare exploits, as it sure isn't what Microsoft patched as CVE-2021-1675.
kb.cert.org/vuls/id/383432
Microsoft has published an advisory on the and has called it CVE-2021-34527
msrc.microsoft.com/update-guide/v…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Will Dormann

Will Dormann Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @wdormann

Will Dormann Profile picture
10 Jan 20
Now that Twitter has changed how it handles uploaded images, this unexpected behavior is perhaps more important now than before.
Your challenge: Tell me what I've redacted from this image.
(Anybody I've talked to about this so far is ineligible to play)
It can be done w/o tools.
Answer:
Several apps (e.g. @GIMP_Official, @Apple Preview) do not actually delete content from images with an alpha channel. They simply create an alpha-channel tunnel through the content you think that you're removing.
You may think you've removed content, but it's just hidden.
If you remove the alpha channel, you now can see what's behind it. You can do this with ImageMagick, e.g.
convert input.png -alpha off output.png
You now have an image that doesn't have the alpha channel, so therefore is unredacted.
But it's actually even easier than this!
Read 9 tweets
Will Dormann Profile picture
10 Jan 20
The cat's pretty much out of the bag on how to exploit this. Expect widespread exploitation attempts for CVE-2019-19781 at this point.
Despite being almost a month old, there is NO PATCH from @citrix at this point. Only a (very important) mitigation.
kb.cert.org/vuls/id/619785/ Image
@citrix You don't need to run a working exploit to know if a system is vulnerable or not, though. Simply visit:
CITRIXGATEWAY/vpns/cfg/smb.conf
in your web browser or script or whatever.
If you get a file, the system is vulnerable.
If you get a 403, it has had mitigations applied.
@citrix Also, FreeBSD 8.4 was EOL'd years ago. And even FreeBSD v. current doesn't even have ASLR enabled (not that it'd matter in this particular case).

And this is something you're exposing directly to the Internet?

YOLO!
Read 4 tweets
Will Dormann Profile picture
9 Jul 19
@johannh Let's be quite clear here:
Zoom intentionally created a vulnerability to work around a security improvement in Safari. This was done to save the user a single click.
@johannh Also note that because Zoom decided that requiring a single click from the user is unacceptable, the vulnerability that they chose to create as a workaround also means that receiving a simple email can result in your camera and microphone being turned on. Neat.
@johannh And on the Windows side of things, both Internet Explorer and Edge also launch Zoom without prompting (albeit not apparently via a process listening on localhost). Chrome and Firefox behave sanely in that the user is prompted before a 3rd-party application is launched.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @wdormann has new unrolls!

Check out other threads from @wdormann!

Read all threads by @wdormann

:(