Microsoft has issued an advisory for another zero-day Windows print spooler vulnerability tracked as CVE-2021-36958 that allows local attackers to gain SYSTEM privileges on a computer.
This vulnerability is part of a class of bugs known as ‘PrintNightmare,’ which abuses configuration settings for the Windows print spooler, print drivers, and the Windows Point and Print feature.
Microsoft released security updates in both July and August to fix various PrintNightmare vulnerabilities.
However, a vulnerability disclosed by security researcher Benjamin Delpy still allows threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server, as demonstrated below.
This vulnerability uses the CopyFile registry directive to copy a DLL file that opens a command prompt to the client along with a print driver when you connect to a printer.
While Microsoft’s recent security updates changed the new printer driver installation procedure so that it requires admin privileges, you will not be required to enter admin privileges to connect to a printer when that driver is already installed.
Furthermore, if the driver exists on a client, and thus does not need to be installed, connecting to a remote printer will still execute the CopyFile directive for non-admin users. This weakness allows Delpy’s DLL to be copied to the client and executed to open a SYSTEM-level command prompt.