Mailing List Archive

Looking for a sample of the Microsoft zero day print nightmare
https://www.bleepingcomputer.com/news/security/microsoft-shares-mitigations-for-windows-printnightmare-zero-day-bug/

Anyone know if this is delivered via email? I'm trying to make sure I block
the payload if it is. Would appreciate anyone reaching out to me off or on
list.

Regards, KAM
Re: Looking for a sample of the Microsoft zero day print nightmare [ In reply to ]
On 7/2/2021 6:39 PM, Kevin A. McGrail wrote:
> Anyone know if this is delivered via email? I'm trying to make sure I
> block the payload if it is.

I found a copy of the repo and see that it works by adding an evil
printer driver to the remote server over an IP connection. So email is a
vector if you allow executable attachments (including scripts).

I use MIMEDefang (a "milter" run from the MTA during message acceptance)
to block lots of extensions for all but a couple trusted recipients. I
quarantine zip files, although MD can check inside those recursively for
evil extensions. (MD also runs ClamAV and SpamAssassin and I have it set
to reject mail with a score of 10 or more.)
Re: Looking for a sample of the Microsoft zero day print nightmare [ In reply to ]
Kenneth Porter wrote:
>
> I found a copy of the repo and see that it works by adding an evil
> printer driver to the remote server over an IP connection. So email is
> a vector if you allow executable attachments (including scripts).

Yes.  Local Privilege Elevation then Remote Command Execution.  The
Chinese POC operators promise more exciting news at Black Hat later this
month.  Microsoft has already pushed a fix; at least for what they
know.  MSP source feed compromise seems ideal for pushing something like
this - Kaseya, SolarWinds, TeamViewer, VIPRE, etc. Any compromised
domain or workgroup user account will do.

> I use MIMEDefang (a "milter" run from the MTA during message
> acceptance) to block lots of extensions for all but a couple trusted
> recipients. I quarantine zip files, although MD can check inside those
> recursively for evil extensions. (MD also runs ClamAV and SpamAssassin
> and I have it set to reject mail with a score of 10 or more.)

Yes, I looked at that well over 10 years ago.  At that time I was
running a Slackware box which was memory bound.  I ended up running
Sendmail and a commercial milter from Snertsoft.  Blast from the past. 
I'm happy to see it is still alive and kicking.

On 7/2/2021 6:39 PM, Kevin A. McGrail wrote:
> Anyone know if this is delivered via email? I'm trying to make sure I
> block the payload if it is.

Kevin, I do not believe this has been bundled with any Email payload at
this time.  Considering the trouble with Emotet/TrickBot, I really have
some grief with the anti-virus community and the disconnect with the
anti-spam community.  I've never thought these were mutually-exclusive. 
In many cases, processing at the Email level can be far more effective
than ripping through binaries and inspecting threads on a computer.

The status quo is not sustainable.  Just from a national/homeland
security perspective it would be a noble project; perhaps worthy of your
foundation - belly of the beast and all that.

$0.02,

-- Jared Hall
Re: Looking for a sample of the Microsoft zero day print nightmare [ In reply to ]
On 7/3/2021 1:44 PM, Kenneth Porter wrote:
> On 7/2/2021 6:39 PM, Kevin A. McGrail wrote:
>> Anyone know if this is delivered via email? I'm trying to make sure I
>> block the payload if it is.
>
> I found a copy of the repo and see that it works by adding an evil
> printer driver to the remote server over an IP connection. So email is
> a vector if you allow executable attachments (including scripts).
>
> I use MIMEDefang (a "milter" run from the MTA during message
> acceptance) to block lots of extensions for all but a couple trusted
> recipients. I quarantine zip files, although MD can check inside those
> recursively for evil extensions. (MD also runs ClamAV and SpamAssassin
> and I have it set to reject mail with a score of 10 or more.)


Thank you to many who replied on and off list.  I did NOT find a sample
of anything except the repo exploit so hopefully it's not in the wild.

And Ken, I love MIMEDefang and use it as well.  Appriver and Zix donated
it to the McGrail Foundation (mcgrail.com) and the svn version has some
fixes and is stable.

DFS is also working on MailMunge which fixes a lot of the code design
she hates bringing a more modern filter structure to the concept.

With MIMEDefang, we do block a lot of extensions and we've published our
filter to do it before.  Under "Attachment Help" at
https://raptoremailsecurity.com/documentation you'll find the list and
the rationale.  Very good, real-world experience filtering gazillions of
emails using this list.

Regards,

KAM

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171