Jonas L

But just to be clear, Point and Print *BY DEFAULT* will allow non-admin users to install drivers for network printers just by clicking on them. While not #PrintNightmare, Point and Print can allow for LPE by using a malicious remote printer. Signed drivers ≠ Safe drivers!pic.twitter.com/FdJ0Y1WPt2

If you'd prefer your non-admin users to not be able to do such a thing (install printer drivers from arbitrary network shares as SYSTEM), you should set the PackagePointAndPrintServerList reg value in HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrintpic.twitter.com/HU35eMXxHe

More about the automatic installation of printer drivers: https://blog.thinprint.com/the-new-microsoft-v4-printer-driver-model/ … v4 printer drivers don't do this client-side driver install. Microsoft planned to deprecate v3 printer drivers, but changed their mind. Maybe because it'd break too much? https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn705223(v=vs.85) …pic.twitter.com/M6Tkk57EKS

Why might somebody set NoWarningNoElevationOnInstall to non-zero, which Microsoft indicates is vulnerable by design, I wonder? As it turns out, some vendors recommended it after MS16-087 was released. It's easier than updating drivers to be package-aware. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087 …pic.twitter.com/B8C3R98Irl

Note that MS16-087 introduces a new prompt when installing non-package-aware V3 printer drivers, like this. But if somebody wants to set up a malicious printer server, surely they'll just make it package-aware. With package-aware drivers, there is no prompt before installation.pic.twitter.com/NRbZ6B4pVS

For those allowing outbound SMB traffic from their networks, you really want to reconsider that. In my testing, I used a local VM and a test certificate. But there's nothing stopping somebody from creating a live-on-internet version of this. With a $69-per-year code signing cert.pic.twitter.com/9ekFBvIGLs