Microsoft's incomplete PrintNightmare patch fails to fix vulnerability

Researchers have bypassed Microsoft's emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.

Last night, Microsoft released an out-of-band security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident last month.

After the update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability.

However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems.

The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector - however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?).  https://t.co/PRO3p99CFo

Today, as more researchers began modifying their exploits and testing the patch, it was determined that exploits could bypass the entire patch entirely to achieve both local privilege escalation (LPE) and remote code execution (RCE).

According to Mimikatz creator Benjamin Delpy, he could bypass the patch and once again achieve Remote Code Execution if the Point & Print policy is enabled.

Dormann also confirmed this patch bypass on Twitter. 

To bypass the PrintNightmare patch and achieve RCE and LPE, a Windows policy called 'Point and Print Restrictions' must be enabled, and the "When installing drivers for a new connection" setting configured as "Do not show warning on elevation prompt."

Point and Print restrictions policy

This policy is located under Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions.

When enabled, the 'NoWarningNoElevationOnInstall' value will be set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key.

Hickey told BleepingComputer that he is still advising admins and users to disable the Print Spooler service to protect their Windows servers and workstations until a working patch is released.

"We're still advising our clients to disable the printer spooler wherever its not required until a fix arrives that addresses this issue appropriately," Hickey told BleepingComputer.

BleepingComputer has contacted Microsoft about the security update but has not heard back at this time.

This is a developing story.