printNIGHTMARE, CRITICAL PRINTER spooler VULNERABILITY ALLOWS Windows users remotely execute code as system
Ashco security team is aware of unconfirmed reports of wild exploitation of newly discovered zero-day affecting Microsoft Windows Print Spooler. At first, it was thought to be attributed to CVE-2021-1675 (Windows Print Spooler Remote Code Execution Vulnerability), which was first disclosed in the June 2021 Microsoft Patch Tuesday release. However, it appears that the latest findings may be a variant of this vulnerability and/or possibly a new one altogether. Microsoft has recently published the vulnerability details under CVE-2021-34527 since the attack vector is different.
Last week, security researchers at QiAnXin technology published a video of a working proof of concept exploiting CVE-2021-1675 and highlighting how the vulnerability could be exploited locally and remotely. After their proof of concept was disclosed, QiAnXin noticed that on June 21st Microsoft had changed the title of the vulnerability to reflect the remote code execution aspect. They also changed the vulnerability status from its original designation (high severity, privilege escalation) to critical severity, remote code execution. However, the current write-up for CVE-2021-1675 still states that this is a local vulnerability, adding to further confusion.
In addition, researchers at Sangfor Security who were working in parallel on their own findings disclosed a working proof of concept for exploitation on GitHub this past Tuesday (June 29th). This detailed working proof of concept has since been taken down, however multiple cached copies still exist. Both QiAnXin and Sangfor have not been credited for their disclosures, as well as for CVE-2021-1675. This may be due to the fact that both of these issues were not disclosed to Microsoft via the responsible disclosure process or not even related to CVE-2021-1675.
The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.
While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.
By sending an RpcAddPrinterDriverEx() RPC request, e.g. over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable. On such systems, our security experts recommend system administrators should disable the Windows print spool service on domain controllers as an immediate mitigation for PrintNightmare. In addition, please ensure your Endpoint AV and network IPS signatures are up to date to block any malicious activity.