back to article PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation

Another potential mitigation has emerged for the PrintNightmare zero-day vuln, which lets low-privileged users execute code as SYSTEM on Windows domain controllers: remove those people from a backwards-compatibility group. The zero-day hole came to light earlier this week after an infosec research firm mistakenly published …

  1. Dimmer Bronze badge

    I guess that explains it

    3 months ago, a customers fully patched domain controller was compromised by system account creating an domain admin account named “Quickbooks User” then crypto locked by the bad guys.

    I was wondering how they compromised across the network, using the system account that Microsoft says can’t be accessed via a network connection.

    Love to hear what you guys have seen.

  2. Anonymous Coward
    Anonymous Coward

    Print Spooler

    This has been a favourite vector of attack for decades for many reasons.

    I used to store copies of Doom in the spool folder back when I was in college. It was the one place that literally anyone could write anything to.

    The best course of action to avoid being immediately caught due to printers spewing out shit endlessly was to fill up some area of C: with as many massive bitmaps made in MS Paint as you could...create the biggest document your machine could handle without crashing and just use the spray tool to fill up the white space with loads of shit. One person in my computer lab back then used to enjoy making 10000 pixel x 10000 pixel files full of dick and balls pictures. It isn't necessary to do this as a bitmap is the same size no matter what, it just passed the time.

    Once you had your massive bitmap, you simply threw together a batch file that copied the bitmaps over and over again until you used up approximately 49% of the disk space. Then you needed a second batch file to join up all the bitmaps into one hulking great big file. Just run the batch file until it crashes. The resulting file size varies according to filesystem limitations. Delete all the smaller files.

    Once you had the biggest file possible, you needed to copy and paste that file (only once) into the spool folder. With any luck, the amount of RAM on your printer wouldn't be enough for the print job to start and the print queue would just jam.

    From there you can deposit your copy of Doom into the spool folder with no fear of the printer spewing reams of shite.

    Warning: If you had a typical college grade IT department they would discover this issue rapidly...sometimes as fast as 3 weeks later.

    I actually caused one of the college techies to go completely mad, he absolutely lost his shit with me. He heard rumours from students that it was me flooding the network with Doom, but he never figured out how because standard procedure was to just re-image a troublesome machine. He told me they were re-imaging about 10 machines a week and he demanded that I told him how I was getting Doom everywhere. I never told him. He ultimately quit and became an Ice Cream man. I bumped into him many years later serving Ice Cream from his truck and he was serene. He recognised me immediately. Apparently, the final straw was when I found a way to modify the installation images to pre-install Doom every time they ran Ghost...he had a sysprep script in his home folder that dragged in loads of drivers and packages to build his install images, he never renamed any of the packages...so there were bucket loads of 3EFDAC31.exe style files that he was dragging in so I could easily hide IDDQDIDKFALMAO.EXE (which I kept a backup of on one of the JetDirect print servers that had Telnet enabled, saved me carrying floppies) in his script and file repo. Sssh! don't tell him! I'll add an extra 50mb to your home folder quota and £10 of printing credit for the library if you stay quiet.

    I actually own the very JetDirect that served me well (<3). They upgraded all the print servers just before I left and they were throwing the old ones out...so I rescued my favourite one. It's still pretty solid and still works. I have it attached to a Laserjet 4050 from the same era...it's properly configured and locked down though. It is also isolated to it's own VLAN with no internet access.

    1. Mowserx

      Re: Print Spooler

      In high school, our library had some menu interface that was used to launch Windows 3.x applications. This way they were able to limit what you could launch. Or so they thought.

      There wasn’t any file system security (this is before NTFS) so if you knew what you were doing it was trivial to work around. I would use the menu to launch WordPerfect, and within WordPerfect I would open up one of the other .exe files accessible from the menu (e.g. notepad), do a Save As to something like notepad.ex_ to back it up, then from within WordPerfect open command.com, and save it over the original notepad.exe . Then I would go to the menu and launch “notepad”, which instead gave me a DOS prompt. At the end of the period I would revert the files back.

      Our library also had a really cool laser printer that I wanted to use to print stuff I made at home. So at home I’d print to a file, copy the file to floppy, then at school copy the file straight to lpt1.

      1. Anonymous Coward
        Anonymous Coward

        Re: Print Spooler

        Oh man, aside from printer antics I had lots of backdoors like this.

        Launching explorer from within Word using the auto hyperlink feature, launching CMD.exe from mspaint, getting system privileges from Task Scheduler launching CMD.exe, swapping out the login.scr file for CMD.exe...tons of options.

        Windows was, is and always will be a fucking mess.

  3. Anonymous Coward
    Windows

    Builtin\Pre-Windows 2000 Compatible Access

    Well, I've looked at four domains so far and all have different memberships for that group! All bar one has Authenticated Users in it.

    Let's see what happens! Incidentally Builtin\Users needs authenticated users in it or AD certificates don't mint anywhere apart from the box with the CA on it. So, give it a go but you'll need to really look deep for problems.

  4. Roger Kynaston
    Flame

    lots of work for my Windows friends

    I'm sure that my time will come though. CUPS must be ripe for a rce vuln?

    1. Anonymous Coward
      Anonymous Coward

      Re: lots of work for my Windows friends

      True, but CUPS isn't installed by default on all distros.

      CUPS is already widely known to be fucking crap as well, vulnerabilities don't matter if the fucking thing doesn't work properly in the first place. The sheer number of times I've wrestled with CUPS is insane. If you have a ye olde printer or an enterprise printer, it's usually fine...but if you have some cheapo low end modern thing, a PC World special...you're probably fucked.

      To be fair though, usually it's printers made by the likes of Konica-Minolta or Kyocera that are problematic because their drivers generally suck cross platform. Especially Minolta. Kyocera is about 50/50.

      My advice, is to use a basic print server device and plug your printer into that then use a generic PCL driver. 99% of the time, it'll be fine.

      Next week...we'll discuss scanning in Linux. Get your rope thrown over a good beam, because it's a fucker of a topic.

    2. Anonymous Coward
      Anonymous Coward

      Re: lots of work for my Windows friends

      It needs to work properly first.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like