But just to be clear, Point and Print *BY DEFAULT* will allow non-admin users to install drivers for network printers just by clicking on them.
While not #PrintNightmare, Point and Print can allow for LPE by using a malicious remote printer.
Signed drivers ≠ Safe drivers!pic.twitter.com/FdJ0Y1WPt2
-
Show this thread
-
If you'd prefer your non-admin users to not be able to do such a thing (install printer drivers from arbitrary network shares as SYSTEM), you should set the PackagePointAndPrintServerList reg value in HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrintpic.twitter.com/HU35eMXxHe
1 reply 2 retweets 14 likesShow this thread -
More about the automatic installation of printer drivers: https://blog.thinprint.com/the-new-microsoft-v4-printer-driver-model/ … v4 printer drivers don't do this client-side driver install. Microsoft planned to deprecate v3 printer drivers, but changed their mind. Maybe because it'd break too much? https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn705223(v=vs.85) …pic.twitter.com/M6Tkk57EKS
2 replies 2 retweets 10 likesShow this thread -
Why might somebody set NoWarningNoElevationOnInstall to non-zero, which Microsoft indicates is vulnerable by design, I wonder? As it turns out, some vendors recommended it after MS16-087 was released. It's easier than updating drivers to be package-aware. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087 …pic.twitter.com/B8C3R98Irl
1 reply 5 retweets 14 likesShow this thread -
Note that MS16-087 introduces a new prompt when installing non-package-aware V3 printer drivers, like this. But if somebody wants to set up a malicious printer server, surely they'll just make it package-aware. With package-aware drivers, there is no prompt before installation.pic.twitter.com/NRbZ6B4pVS
4 replies 0 retweets 7 likesShow this thread -
For those allowing outbound SMB traffic from their networks, you really want to reconsider that. In my testing, I used a local VM and a test certificate. But there's nothing stopping somebody from creating a live-on-internet version of this. With a $69-per-year code signing cert.pic.twitter.com/9ekFBvIGLs
2 replies 3 retweets 16 likesShow this thread -
Replying to @wdormann
I was talking to
@gentilkiwi about exactly that earlier, lol. I was planning to set up \\http://printnightmare.net as a test with a queue that pops calc, and get MS driver cert to sign it (anybody can submit drivers).1 reply 0 retweets 9 likes -
https://cdn.discordapp.com/attachments/862316522072047658/865395683497869312/RwDrv..sys … I signed that, dos it now load for you?
1 reply 0 retweets 0 likes -
I’ll check tomorrows, cheers. What does it do? In some configurations it needs to be signed by MS (but anybody with EV can submit drivers to be signed by them). It looks like there may be some legacy loopholes tho.
1 reply 0 retweets 0 likes -
its the driver from rw everything- I resigned for test
1 reply 0 retweets 2 likes
WAIT-LOL forgot - printer drivers are not drivers at all, so its irrelevant
-
-
Print Drivers are whatever you say they are
the code has a lot of legacy so non-admins can network print and run as SYSTEM, it’s a really cool attack surface0 replies 0 retweets 3 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.