Microsoft had a call for #PrintNightmare where they repeatedly said "Disable Point and Print"
without actually saying how one would do so.
I cannot find evidence that "Point and Print" itself is a thing that can be disabled.
MS seems to really want someone to hold their beer!
🍺
Is "Disable Point and Print" a thing that people can do? And if so, how?
Otherwise, I'll attribute this all to an unfortunate game of telephone.
More along the lines of Microsoft confusion:
"NoWarningNoElevationOnUpdate" isn't a term that existed until Microsoft published their CVE-2021-34527 advisory on July 6.
The registry value actually associated with updating drivers is called UpdatePromptSettings
This is my current understanding of the #PrintNightmare exploitability flowchart.
There's a small disagreement between me and MSRC at the moment about UpdatePromptSettings vs. NoWarningNoElevationOnUpdate, but I think it doesn't matter much as I just have both for now.
I've made a few changes to this flowchart to make it more clear, and also add some more boxes. Because of course.
I also added it to the CERT/CC vulnerability note for #PrintNightmare VU#383432 CVE-2021-34527 kb.cert.org/vuls/id/383432
It seems like the disagreement between MSRC and me has been resolved.
It turns out that it's indeed UpdatePromptSettings, and not NoWarningNoElevationOnUpdate.
NoWarningNoElevationOnUpdate was never a registry value, and no reference to it existed before July 6.
Apology accepted
For anybody who was watching the recent flurry of incorrect (and now deleted) tweets:
What confused me was that clicking "Apply" on any individual page in gpedit causes EVERY policy to get applied. Not just the current one.
It's still PointAndPrint that is the bypass here.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
If you have the "Print Spooler" service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller.
Log entries in Microsoft-Windows-PrintService/Admin might be a good place to look for evidence of exploitation.
Here, despite the "failed to load" error, is what was generated when I loaded main64.dll off of a remote SMB share using this exploit.
Note that looking for this will only find lazy attackers. The only reason that I saw this in my initial test is because the main64.dll that I used made no attempt to look like what the print spooler is looking for.
If the attacker loads a sane-looking DLL, no error is logged.
Now that Twitter has changed how it handles uploaded images, this unexpected behavior is perhaps more important now than before.
Your challenge: Tell me what I've redacted from this image.
(Anybody I've talked to about this so far is ineligible to play)
It can be done w/o tools.
Answer:
Several apps (e.g. @GIMP_Official, @Apple Preview) do not actually delete content from images with an alpha channel. They simply create an alpha-channel tunnel through the content you think that you're removing.
You may think you've removed content, but it's just hidden.
If you remove the alpha channel, you now can see what's behind it. You can do this with ImageMagick, e.g.
convert input.png -alpha off output.png
You now have an image that doesn't have the alpha channel, so therefore is unredacted.
But it's actually even easier than this!
The cat's pretty much out of the bag on how to exploit this. Expect widespread exploitation attempts for CVE-2019-19781 at this point.
Despite being almost a month old, there is NO PATCH from @citrix at this point. Only a (very important) mitigation. kb.cert.org/vuls/id/619785/
@citrix You don't need to run a working exploit to know if a system is vulnerable or not, though. Simply visit:
CITRIXGATEWAY/vpns/cfg/smb.conf
in your web browser or script or whatever.
If you get a file, the system is vulnerable.
If you get a 403, it has had mitigations applied.
@citrix Also, FreeBSD 8.4 was EOL'd years ago. And even FreeBSD v. current doesn't even have ASLR enabled (not that it'd matter in this particular case).
And this is something you're exposing directly to the Internet?
@johannh Let's be quite clear here:
Zoom intentionally created a vulnerability to work around a security improvement in Safari. This was done to save the user a single click.
@johannh Also note that because Zoom decided that requiring a single click from the user is unacceptable, the vulnerability that they chose to create as a workaround also means that receiving a simple email can result in your camera and microphone being turned on. Neat.
@johannh And on the Windows side of things, both Internet Explorer and Edge also launch Zoom without prompting (albeit not apparently via a process listening on localhost). Chrome and Firefox behave sanely in that the user is prompted before a 3rd-party application is launched.