[German]Security researchers have published proof-of-concept (PoC) code for a remote code execution (REC) vulnerability in the Windows Print Spooler. The POC code was immediately deleted, but it is assumed that copies were pulled. The CVE-2021-1675 vulnerability allows an attacker to gain remote access to and take over a Windows Domain Controller.
Vulnerability CVE-2021-1675 and the POC
I first came across the issue via the following tweet, which is described in more detail in this article.
According to Tenable, in late June 2021, two different research teams published information about CVE-2021-1675, which is a remote code execution (RCE) vulnerability in the Windows Print Spooler known as PrintNightmare.
Vulnerability only partially patched in June 2021 release
When the vulnerability was originally announced at the June 2021 patchday and closed by a June 2021 update, a low severity level was still in effect – as only a local code execution with the ability to gain elevated privileges was known. However, on June 21, 2021, the threat level was raised to Critical due to the possibility of remote code execution (RCE). The discovery was attributed to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE, and Yunhai Zhang of NSFOCUS TIANJI Lab.
On June 28, the QiAnXin research team tweeted a GIF showing the successful exploitation of CVE-2021-1675 to obtain RCE without technical details or proof-of-concept (PoC) code. On June 29, Sangfor researchers published a full technical description with PoC code on GitHub.
However, this repository was removed after only a few hours. The tweet above claims that they withdrew the code because their submitted paper was accepted at the BlackHat conference in the US. It is unclear if the researchers decided to share their PoC because of QiAnXin's tweet. The researchers claim to have discovered the vulnerability independently of those credited with Microsoft's disclosure. But as of this writing, the genie was out of the bottle, as the GitHub post had already been copied by third parties before it was deleted.
Vulnerability allows RCE, June patch doesn't help
Exploiting the CVE-2021-1675 vulnerability could allow remote attackers to take full control of vulnerable systems. To achieve RCE, attackers would need to target a user who authenticates to the spooler service. Without authentication, the vulnerability could be exploited to elevate privileges. Tenable's advice is to patch the affected Windows systems with the June 2021 updates provided by Microsoft.
In the above tweet, someone points out that a fully patched Windows 2019 domain controller could be cracked with a 0day exploit (CVE-2021-1675) from a regular domain user's account and gain full SYSTEM privileges. The advice is to disable the "Print Spooler" service on servers that don't need it. Other security researchers such as Will Dormann or Mitja Kolsek confirm this.
To detect the execution of CVE-2021-1675 (PrintNightmare), this tweet contains the advice to look for kernelbase.dll, unidrv.dll as well as any other dll written by spoolsv.exe in subfolders of C:\Windows\System32\spool\drivers\ during the same period.
More stuff to read and mitigate
Addendum: Since I've published the text above, others has also written some articles about that. Here are some links recommended for administrators to read:
Security researcher Kevin Beaumont, meanwhile, has compiled some information in this article and also discusses what can be done to detect attacks.
And my German blog readers has also directed me to interesting write ups, I like to mention. First is a link left within this comment, dealing with Print Spooler service in an Active Directory environment:
The topic how to disable the Print Spooler service on Domain Controller is a bit complex, as MVP Sander Bekouwer explains within this article.
And there is a nice write up by Huntress within this article. While disabling the Print Spooler service isn't an option for all cases, there is a possible mitigation by restricting the access controls (ACLs) in the directory that the exploit uses to drop malicious DLLs. Truesec has described more details within this blog post, using a PowerShell script.
Patchday: Windows 10-Updates (June 8, 2021)
PoC for Windows print spooler vulnerability public, high RCE risk
Windows Print Spooler Vulnerability (CVE-2021-1675, PrintNightmare) Confirmed by MS; CISA Warns
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
The Chaos PrintNightmare Emergency Update (July 6/7, 2021)
Windows 10: Microsoft fixes Zebra & Dymo printer issues caused by update (e.g. KB5004945) via KIR
Crazy. Really a print nightmare.