Another potential mitigation has emerged for the PrintNightmare zero-day vuln, which lets low-privileged users execute code as SYSTEM on Windows domain controllers: remove those people from a backwards-compatibility group.
The zero-day hole came to light earlier this week after an infosec research firm mistakenly published proof-of-concept exploit code for a remote-code execution (RCE) vuln it had nicknamed PrintNightmare. Sangfor Technologies published the exploit for the vulnerability after wrongly believing Microsoft had patched it this month, having read the June Patch Tuesday notes for a remote-code execution vuln in Windows Print Spooler tracked as CVE-2021-1675.
While the patch for CVE-2021-1675 also protects against PrintNightmare on most Windows devices, it didn’t do so for domain controllers, which caused some puzzlement among security researchers. Until today, when Yunhai Zhang of Tianji Lab discovered a potential cause:
Because you have Builtin\Pre-Windows 2000 Compatible Access group when logon to DC.— Yunhai Zhang (@_f0rgetting_) July 1, 2021
The Pre-Windows 2000 Compatible Access Group exists for backwards compatibility with Windows NT boxes and appears to be populated with authenticated users by default in new Windows Server deployments. As Windows Server blogger Dion Mosley explained: “Members of this group have Read access for viewing all users and groups within the domain. Depending on the security settings chosen during the installation of Active Directory, the Everyone group might be a member of this group.”
Mimikatz maintainer Benjamin Delpy confirmed Zhang’s findings to The Register, saying: "I can confirm that if we remove ‘authenticated users’ from this group (leaving it empty after), it stops the exploit." In short, membership of that group is an ingredient of the PrintNightmare exploit mechanism, and knowing that could at least help infosec and sysadmin folks better understand the underlying software bug. Delpy also tweeted a GIF showing the mitigation in action:
Thanks to @_f0rgetting_ we have an explanation about why we have an Elevated Token (allowing #PrintNightmare on patched domain controllers): legacy— 🥝 Benjamin Delpy (@gentilkiwi) July 1, 2021
If you remove "Authenticated users" from "Builtin\Pre-Windows 2000 Compatible Access", the original Microsoft Patch works again🤩 https://t.co/StvDdEWoog pic.twitter.com/h5IGJ0slpZ
At the time of writing it is not clear what side effects removing “everyone” from the Pre-Windows 2000 Compatible Access Group will have. It may be wise to wait and see before dashing in and potentially causing problems elsewhere on your domain.
Infosec researcher Dirk-Jan Mollema tweeted: “Before you all go apply this I'd wait for some people who've actually worked with this and can tell the potential impact though.”
Meanwhile, the US government's Cybersecurity and Infrastructure Agency recommends disabling the Windows Print spooler service in domain controllers and hosts that do not print.
Microsoft still hasn’t responded to The Register’s questions about the vuln nor has it said that a patch is being worked on.
Sangfor Technologies researchers published the zero-day proof-of-concept exploit as part of a blog post discussing a vuln they had found in Windows’ print spool service. Wrongly believing that a very closely related and recently patched flaw (CVE-2021-1675) was the same as their zero-day, they dropped the code in public.
- Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller
- Microsoft and Eclypsium lock horns over Dell SupportAssist flaws on secured-core PCs
- Microsoft hooks up with MITRE to map Azure's ATT&CK surface for 'proactive security'
- Microsoft faces up to an old foe with out-of-band patch for PDF weirdness
Despite their trying to retract it a day later, the PrintNightmare exploit had, by that point, been forked and cached just about everywhere, as we reported.
The exploit itself allows a low-privileged user on an Active Directory domain to use Windows’ Print Spooler service to run code as SYSTEM on vulnerable hosts. Anyone who obtains ordinary user credentials for a device on that network could potentially run malicious code on the domain controller, compromising the whole domain in one go. That is a very bad thing. ®