Report: PrintNightmare

Executive Summary

On June 8, 2021, Microsoft released an advisory and patch for a critical vulnerability in the Windows Print Spooler. It was originally classified as a privilege escalation vulnerability. On June 27, 2021, researchers from QiAnXin claimed systems were still vulnerable after the patch and that the exploit could be used to gain remote code execution. A few days later researchers from Sangor released a proof-of-concept exploit on GitHub that validated the claim. The code was subsequently removed from GitHub, but the code was copied and is now in the wild. As the only patch for the vulnerability still leaves the system vulnerable to the exploit, the most effective mitigation strategy is to disable the Print Spooler service until an effective patch is released.

Technical Summary

The source of the vulnerability is the RpcAddPrinterDriver remote procedure call (link). The function installs a specified printer driver on the server via SMB. The service then installs and executes the driver using SYSTEM privileges. The service is enabled by default on Windows Server and Windows operating systems. This means that unless explicitly configured otherwise, all domain controllers are vulnerable to this exploit.

Note that the exploit can only be executed by an authenticated user to the spooler service.

A version of the PoC exploit can be downloaded from: https://github.com/afwu/PrintNightmare

Note: The authors of this PoC exploit claim they have more unknown vulnerabilities that they will disclose at their talk at BlackHat.

Details

CVE: CVE-2021-1675 AKA: PrintNightmare TYPE: Remote Code Execution Identified by: Microsoft Severity: CVSS v3.x: 7.8 Release date: June 8, 2021 Last update: June 21, 2021

Known Affected Software

• Microsoft Windows Server:
  • 2004
  • 2008
  • 2008 R2
  • 2012
  • 2012 R2
  • 2016
  • 2019
  • 20H2
• Microsoft Windows
  • 7
  • 8.1
  • RT 8.1
  • 10

Remediation

Currently, the only known remediation is to disable the Windows Print Spooler service. This should be done on all endpoints, servers and domain controllers. However, dedicated print servers will still be vulnerable.

Remediation Side-effects

Microsoft does not recommend disabling the print spooler service in general since Active Directory is unable to delete printer queues for printers that no longer exist on the network without at least one Domain Controller running the service.

Related Vulnerability

On July 1, 2021, Microsoft released CVE-2021-34527 that describes a remote code execution vulnerability in the Windows Print Spooler service. While the source is also the RpcAddPrinterDriver RPC, Microsoft claims this is a different vulnerability from CVE-2021-1675. This CVE has a CVSS 3.0 severity rating of 8.8 (higher than CVE-2021-1675). Since the vulnerability is in the same function, there is no viable patch for this vulnerability either.

History

The Print Spooler service has a long history of bugs and vulnerabilities. A bug in the service was exploited in the famous Stuxnet worm. More recently, two criticals exploits were discovered last year (CVE-2020-1048 and CVE-2020-1337).

Sources

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675
• https://nvd.nist.gov/vuln/detail/CVE-2021-1675
• https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/
• https://www.blumira.com/cve-2021-1675/
• https://www.helpnetsecurity.com/2021/06/30/poc-cve-2021-1675/
• https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability
• https://www.kb.cert.org/vuls/id/383432
• https://github.com/afwu/PrintNightmare