An infosec firm accidentally published proof-of-concept code for a critical Windows print spooler remote code execution vuln that could lead to compromise of Active Directory domain controllers.
Print spooler is a key Windows OS component and runs in the background, managing all the printing on your computer with varying success – as seen in the CPU-hogging rogues’ gallery in Task Manager.
The exploit, initially tracked as CVE-2021-1675, allows a low-privileged remote attacker to execute code on a target system. Initially Microsoft classified it as a privilege escalation flaw in June’s Patch Tuesday run of Windows updates – but on 21 June that classification was upped to describe it as an RCE.
Reclassification was for a good reason: infosec folk have realised that lightly tweaking proof-of-concept code circulating in the wild may allow ordinary users on a Windows domain to execute code with SYSTEM privileges.
CVE-2021-1675 is exploitable without any high privileges and results in remote SYSTEM from a regular Domain User’s account. The public PoC required little modification (I added ability to select domain) but works more or less out-of-the-box on a Windows 2019 DC. Patch quickly!
— Hacker Fantastic (@hackerfantastic) June 30, 2021
Currently scored at 7.8 on the CVSSv3.1 scale with a “critical” severity rating, CVE-2021-1675 affects Windows Server 2008, Server 2012, Server 2016, Server 2019, Windows RT, and desktop OSes 7, 8, and 10.
Informed infosec people on Twitter have suggested sysadmins should disable the Windows print spool service on domain controllers as an immediate mitigation. Some have claimed the Patch Tuesday mitigation doesn’t work.
Matthew “Hacker Fantastic” Hickey told The Register: “In my opinion this is the most significant incident to happen to Windows enterprise systems this year and people need to prioritize disabling the print spooler service on domain controllers and mission critical servers to prevent exploitation of this issue.
He told us the exploit works “on a fully patched and updated (as of yesterday) Windows 2019 domain controller” – as seen on Hickey’s posted screenshot of his test system with “the exploit being used”.
Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User’s account giving full SYSTEM privileges. Disable “Print Spooler” service on servers that do not require it. pic.twitter.com/6SUVQYy5Tl
— Hacker Fantastic (@hackerfantastic) June 30, 2021
He added: “It works from any domain user to exploit any network server using print spooler service, which is enabled by default on domain controllers.
“Ransomware gangs will be quick to use this in their attacks and previously compromised low-value desktops could be used to take control of the entire Windows estate using this bug to then deliver their malware.”
Martin Lee, technical lead at Cisco Talos, said: “Exploits such as this underline how important it is to both securely authenticate users and be in a position to identify unusual network activity.
“Escalation of privilege vulnerabilities continue to be discovered, meaning that we must ensure that lost or stolen credentials cannot be used on their own to authenticate a user to a domain.
“Equally, security teams need to be equipped with the tools that allow the identification and triage of unusual network activity. An unprivileged user uploading a new printer driver to the print server isn’t an everyday occurrence and should raise suspicions.”
Code was prematurely revealed
Clumsy GitHub action by an infosec research firm earlier this week saw the exploit code blurted into the public domain – where crafty folk immediately forked it. It’s even still available in Google Search cache, and searching for the CVE number on Twitter (other social media cesspits are available) immediately returns links to the cached version, forks, and more.
The original vuln was credited by Microsoft to three researchers; one each from Tencent and NSFocus Tianji Lab, and one from Poland’s AFINE. This attribution evidently caused some upset at Shenzhen-based infosec firm Sangfor Technologies.
Sangfor was due to present at Black Hat USA on a set of closely related vulns, with its presentation summary on the Black Hat website stating: “We started to explore the inner working of Printer Spooler and discovered some 0-day Bugs in it. Some of them are more powerful than PrintDemon and easier to exploit, and the others can be triggered from remote which could lead to remote code execution.”
Having nicknamed the most severe vuln PrintNightmare, Sangfor also published proof-of-concept code in a GitHub post earlier this week. A day later, somebody evidently had a quiet word about the wisdom of doing so:
We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ
— zhiniang peng (@edwardzpeng) June 29, 2021
If you haven’t installed the latest batch of Windows updates on your system, do so now and disable the print spool service on any devices that don’t need it running.
We have asked Microsoft when a fresh patch will be available, and we have also asked Sangfor to comment. ®