Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
A new round in the confrontation between attackers and Microsoft.
A recently published guide to the PrintNightmare group of vulnerabilities has sparked discussions about how to bypass the Point and Print (PnP) restrictions proposed in the article. The author decided not just to update the post, but to conduct additional research and find more effective ways to protect against PnP exploitation.
The initial conditions were as follows:
However, despite these settings, it turned out that it was possible to bypass the protection with a DNS spoofing attack by replacing the name of the allowed server with the attacker.
The author tested the method in the laboratory by replacing the IP address with the address of the attacker's server, which led to an error related to the incorrect printer name. Analysis using Wireshark showed that the client's interaction with the server takes place through an encrypted DCE/RPC channel protected from NTLM Relay attacks.
Even after installing the UNC Path Hardening policy, which restricts access to network paths, it was possible to bypass the protection. In response to remote procedure calls via DCE/RPC, the server returned an incorrect network path, which made it possible to bypass the restrictions. Spoofing the path from UNC to local allowed the vulnerable printer driver to be successfully installed.
As a result, the author came to the conclusion that the security measures used, such as UNC Hardened Access and the use of SMB for connection, are insufficient to prevent MitM (Man-in-the-Middle) attacks. It also turned out that a driver exclusion policy based on file hashes is ineffective, as attackers can easily modify a file without violating its signature.
The key conclusion of the study is that configuring the "Restrict Driver Installation To Administrators" policy is the only reliable way to protect against the exploitation of Point and Print configurations. In the future, it is possible that the new Windows Protected Print (WPP) mode may solve the problem, but for now, system administrators are advised not to disable the new restrictions for installing printer drivers to ensure protection.
Source
A recently published guide to the PrintNightmare group of vulnerabilities has sparked discussions about how to bypass the Point and Print (PnP) restrictions proposed in the article. The author decided not just to update the post, but to conduct additional research and find more effective ways to protect against PnP exploitation.
The initial conditions were as follows:
- A policy that restricts driver installation to administrators has been disabled.
- A policy of using only signed printer drivers is enabled.
- Only one authorized server is allowed to install drivers.
However, despite these settings, it turned out that it was possible to bypass the protection with a DNS spoofing attack by replacing the name of the allowed server with the attacker.
The author tested the method in the laboratory by replacing the IP address with the address of the attacker's server, which led to an error related to the incorrect printer name. Analysis using Wireshark showed that the client's interaction with the server takes place through an encrypted DCE/RPC channel protected from NTLM Relay attacks.
Even after installing the UNC Path Hardening policy, which restricts access to network paths, it was possible to bypass the protection. In response to remote procedure calls via DCE/RPC, the server returned an incorrect network path, which made it possible to bypass the restrictions. Spoofing the path from UNC to local allowed the vulnerable printer driver to be successfully installed.
As a result, the author came to the conclusion that the security measures used, such as UNC Hardened Access and the use of SMB for connection, are insufficient to prevent MitM (Man-in-the-Middle) attacks. It also turned out that a driver exclusion policy based on file hashes is ineffective, as attackers can easily modify a file without violating its signature.
The key conclusion of the study is that configuring the "Restrict Driver Installation To Administrators" policy is the only reliable way to protect against the exploitation of Point and Print configurations. In the future, it is possible that the new Windows Protected Print (WPP) mode may solve the problem, but for now, system administrators are advised not to disable the new restrictions for installing printer drivers to ensure protection.
Source
