Microsoft Windows Print Spooler Point and Print allows installation of arbitrary queue-specific files


### Overview Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process. ### Description Microsoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with `SYSTEM` privileges via the Print Spooler service. This ability is achieved through a capability called [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>). Starting with the update for [MS16-087](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087>), Microsoft requires that printers installable via Point are either signed by a [WHQL release signature](<https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature>), or are signed by a certificate that is explicitly trusted by the target system, such as an installed test signing certificate. The intention for this change is to avoid installation of malicious printer drivers, which can allow for Local Privilege Escalation (LPE) to `SYSTEM`. While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify [queue-specific files](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/installing-queue-specific-files>) that are associated with the use of the device. For example, a shared printer can specify a `CopyFiles` directive for arbitrary files. These files, which may be copied over alongside the digital-signature-enforced printer driver files are **not** covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. The remote printer can also be configured to automatically execute code in any files dropped by the `CopyFiles` directive. This can allow for LPE to `SYSTEM` on a vulnerable system. An exploit for this vulnerability is [publicly available](<https://twitter.com/gentilkiwi/status/1416429860566847490>). ### Impact By connecting to a malicious printer, an attacker may be able to execute arbitrary code with `SYSTEM` privileges on a vulnerable system. ### Solution Microsoft has published updates for [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) regarding this issue. Please also consider the following workarounds: #### Block outbound SMB traffic at your network boundary Public exploits for this vulnerability utilize SMB for connectivity to a malicious shared printer. If outbound connections to SMB resources are blocked, then this vulnerability may be mitigated for malicious SMB printers that are hosted outside of your network. Note that an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules. #### Configure both PackagePointAndPrintServerList and PackagePointAndPrintOnly settings Microsoft Windows has a Group Policy called "Package Point and Print - Approved servers", which is reflected in the `HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList` and `HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers` registry values. This policy can restrict which servers can be used by non-administrative users to install printers via Point and Print. Configure this policy to prevent installation of printers from arbitrary servers. To ensure that Microsoft Windows only attempts to install Package Point and Print printers, and therefore restricting printer connections to the approved servers list, you must also set the `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintOnly` registry value to `1`. The Group Policy setting that corresponds to this value is called "Use only Package Point and print". Setting this value to "Enabled" will enforce that only Package Point and Print printers will be used. **Both** of these settings must be configured to protect against exploitation of this vulnerability. #### Block the ability to modify the print spooler drivers directory Courtesy of the [TRUESEC Blog](<https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/>), this vulnerability can be mitigated by preventing the `SYSTEM` account from being able to modify the `C:\Windows\System32\spool\drivers` directory contents. To enable this mitigation, from a privileged PowerShell session, run: $Path = "C:\Windows\System32\spool\drivers" $Acl = (Get-Item $Path).GetAccessControl('Access') $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny") $Acl.AddAccessRule($Ar) Set-Acl $Path $Acl To revert the mitigation to allow printer driver installation or modification, run: $Path = "C:\Windows\System32\spool\drivers" $Acl = (Get-Item $Path).GetAccessControl('Access') $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny") $Acl.RemoveAccessRule($Ar) Set-Acl $Path $Acl #### Stop and disable the Print Spooler The Print Spooler can be disabled in a privileged PowerShell session by running the following commands: Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled **Impact of workaround** Disabling the Print Spooler service disables the ability to print both locally and remotely. ### Acknowledgements This vulnerability was publicly disclosed by Benjamin Delpy. Microsoft credits Victor Mata with reporting this issue to them. This document was written by Will Dormann. ### Vendor Information 131152 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all ### Microsoft Affected Notified: 2021-07-18 Updated: 2021-07-18 **CVE-2021-36958**| Affected ---|--- #### Vendor Statement We have not received a statement from the vendor. ### References * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958> * <https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087> * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print> * <https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature> * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/installing-queue-specific-files> * <https://twitter.com/gentilkiwi/status/1416429860566847490> * <https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/> ### Other Information **CVE IDs:** | [CVE-2021-36958 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-36958>) ---|--- **Date Public:** | 2021-07-18 **Date First Published:** | 2021-07-18 **Date Last Updated: ** | 2021-09-14 22:44 UTC **Document Revision: ** | 17