Astyanax:

still requires an exploited system to pull off.

Astyanax:

still requires an exploited system to pull off.

Reardan:

It doesn't require an exploited system, it just requires you to have access to a system. Phishing a regular user, even initiating a teamviewer session with a regular payroll or maintenance or whatever employee will get you the access you need to take over the entire domain. If you can get logged in via any means as anyone, you can make it happen. It's a big big big flaw.

Astyanax:

it requires a trojan compromised administrator level account that can add compromised spool drivers. A standard user cannot add or remove spool drivers, the only way a standard user is getting a compromised driver is by having a printserver up the line serving a compromised driver to client systems. this exploit is not browse by or remotely triggerable without a trojan already permitting privilege escalation. PS: once you have physical access to the machine, the accounts mean little,

Reardan:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958 Where do you see that it requires physical access, or a trojan? And it doesn't have to be a compromised print server on the network, it can just be a public facing print server you control. I did get my print nightmares mixed up otherwise. This is only local escalation, not domain like before. Aside from that though idk where you got your information.

The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document)

Reardan:

It literally says "remotely or via user interaction." It does not say physical access is required. Physical access means you need solder, or remove, or short, or do something physical to the machine that you can ONLY do when there...It doesn't mean manipulate the keyboard guys come on what is this? https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17099 This is an example of an attack requiring PHYSICAL ACCESS you can see because the Vector says PHYSICAL. Local and physical are different.

Astyanax:

Thank you for basically misunderstanding what you've read but confirming it anyway. The print server must already be exploited locally, via trojan or ignorant user believing a tech support scam to serve clients a malformed driver allowing access into the clients remotely.

warezme:

In an enterprise environment the print spooler is used for everything from network printing, PDF's and even Adobe updates rely on the print spooler. Those are obviously going to be the targets not people like you. In this type of environment just turning off the print spooler is not an acceptable solution.