PrintNightmare: Remote Code Execution in Windows Spooler Service

PrintNightmare: Remote Code Execution in Windows Spooler Service

Update: Subsequent to publishing this article Microsoft released security updates to address the vulnerabilities. We recommend you install these updates immediately.
However, cybersecurity researchers continued to discover new related vulnerabilities and publish exploits. To help you check if your systems are still vulnerable, read our latest
PrintNightmare blog.

Two vulnerabilities affecting the Windows Print Spooler service have been disclosed and require the urgent attention of security teams in all industries. These risks are particularly concerning because the vulnerable service is enabled by default for Windows Domain Servers, the most sought-after target for any attacker. A domain controller is the backbone of IT infrastructure that stores user account information and controls security authentication requests. Access to this information can allow threat actors to remotely execute code with administrative level privileges.

The vulnerabilities are tracked with CVE numbers: CVE-2021-1675 and CVE-2021-34527. The first vulnerability, CVE-2021-1675, was reported to Microsoft and patched on June 8th, 2021. CVE-2021-34527 was later issued to track an additional security issue in the same Windows component. IMPORTANT: as of this writing, Microsoft is still working on a patch, and it is not yet available to fix the vulnerability.

The issue escalated when a proof-of-concept was published by researchers who initially thought that CVE-2021-1675 and the corresponding patch covered a series of issues in Windows Print Spooler. Unfortunately, it turned out that the available patch was limited in scope. Microsoft then confirmed the presence of vulnerable code in all versions of Windows Server, going all the way back to Windows 7, 8, 8.1-, and up to and including version 10.

We urge all security teams to take the measures outlined in this blog as soon as possible.

PrintNightmare: Exploiting the Vulnerability Is Simple

The exploit that takes advantage of the vulnerability described in CVE-2021-34527 is quite simple. A user with low level access simply uploads a malicious DLL file to the target system, in any shared folder for a system that has the Print Spooler service enabled. Next, the user activates the exploit that will execute the DLL, providing escalated privileges. It’s important here to note that there are two necessary preconditions for the exploit to work in a targeted system:

  • There are legitimate low level access user credentials that can be used by the threat actor.
  • The Print Spooler service is enabled.

The Print Spooler service is used, amongst other things, to provide remote printing services. It’s a commonly used service in the Windows ecosystem.

For example, the execution of the POC (Proof of Concept) shown below will lead to the malicious DLL being executed on the target system.

Execution of the POC script.
Execution of the POC script.
Execution of the malicious DLL in a remote share folder.
Execution of the malicious DLL in a remote share folder.

The Impact of PrintNightmare Is HIGH

The impact exploiting this vulnerability is quite high. The combination of a leaked POC with only a partial patch available from Microsoft creates a worst-case scenario, where all Windows systems with the service enabled are vulnerable until a proper patch is available. The number of exploited systems is currently unknown, but according to Microsoft there are indications that the exploit has been used in the wild.

The biggest concern is obviously for Domain Controllers, as they’re the most sought-after target for any attacker. A domain controller is a server that responds to authentication requests and verifies users on computer networks. A domain is a hierarchical logical structure that allows users with different access rights to use resources in a common environment. It manages many services, from shared folder access rights to printers and connectivity services. This exploit puts Domain Controllers under the spotlight as a common high-value target for threat actors, as they are the backbone of an organization.

Mitigations for PrintNightmare

Until a patch is available, the only method to prevent exploitation is to restrict or disable the vulnerable Print Spooler service. While the operational impact is moderate, hindering the printing functionality of the system, the exploit is severe enough to justify such measures.

According to Microsoft/ICS-CERT,1 two possible options are available:

  • Completely disable the vulnerable service Print Spooler service. This will make printing unavailable.
  • Disable inbound remote printing through Group Policy
A flowchart to help understand exploitation of CVE-2021-34527.2
A flowchart to help understand exploitation of CVE-2021-34527.2

Detection of PrintNightmare Exploitation

The relevant traffic for detecting exploitation uses the SMB protocol. If SMB3 or SMB3 over SMB2 is used, the traffic will be encrypted. Anomaly detection will detect encrypted use of the protocol whereas classic SNORT rules will not be effective. On the other hand, if an unencrypted flavor of SMB is used, malware traffic packets can be identified using signature-based threat detection.

Endpoints should be enabled with PrintService log for servers, which allows logging of remote access attempts. Additionally, an antivirus solution should be used to block malicious files.

The Danger of Vulnerabilities to Widely Used Systems

The Windows Print Spooler vulnerability shows the danger of vulnerabilities to widely used systems. While the release of vulnerabilities and exploits to them involve dynamics that organizations have no control over, what security teams do control is vulnerability monitoring and swift mitigation. We urge you to ensure that you have the people, processes and technology in place to act quickly when a vulnerability such as PrintNightmare is made public.

Vulnerability Advisories

Vulnerability Category Patched Coverage (latest GA 21.1.1-06030723/TI 202107020854)
CVE-2021-1675
Privilege Escalation/RCEYes (8th of June)Yes

CVE-2021-34527
Privilege Escalation/RCENoYes

References:

  1. https://www.kb.cert.org/vuls/id/383432
  2. https://twitter.com/StanHacked/status/1412060814488608773