Any Printer Remotely No Installation Media Required Required Configuration Are Retrieved From Printer Server Allows Clients To Install Drivers On Print Servers, Even Without Admin Privileges Point And Print Documentation
client computers will check the driver signature of all drivers that are downloaded from print servers If The Point And Print Is Misconfigured In A Patched/Up To Date OS, PrintNightmare May Come To Haunt You ! MPP Can Also Be Abused By ‘Bring Your Own (Vulnerable) Driver’ https://github.com/jacob-baines/concealed_position
that all of the driver components in your package are configured for use during a point-and-print operation. Point and print enables a Windows user to create a connection to a remote printer without providing disks or other installation media. Point And Print Documentation
the other hand, may need to be manually installed or configured by the user. This could involve downloading the driver from the manufacturer's website, compiling it from source code, or executing an installation script provided by the manufacturer. Point And Print Documentation
Functionality To Add Printer Drivers Normal Domain Users Can Add Drivers Into Any Machine ( ABUSE ) No Proper Privilege Validation Is Performed ( SPOILER ) Instant EoP (Elevation Of Privilege) Payload Can Be Easily Loaded As DLL File (Locally/Remote SMB) Caveat: DLL Lands On Disk, Workaround For AV Evasion
Be Domain User Authenticated On The Machine Attacker Tries To Add Printer Driver Via AddPrinterDriverEx( ) Loads A Malicious DLL For Printer Drivers Runs DLL In SYSTEM Context
An UNC Path But pConfigFile Is Not Validated And Can Be An UNC Path pConfigFile Becomes Controllable, And Can Be Used To Load Arbitrary DLL Files (Local/Network)
Privilege Check Bypass To Load SeLoadDriverPrivilege Privilege Eleveation Happens Tries To Install Driver With Malicious DLL Code Execution Happens With SYSTEM Context
2 Ransomware Groups Employed PrintNightmare For Privilege Escalation (Local/Domain) https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html