PoC Exploit Released for Unpatched Windows Print Spooler RCE Vulnerability

A critical Windows Print Spooler remote code execution vulnerability has been identified, a Proof of Concept (PoC) exploit for which has been leaked online.

The vulnerability, tracked as CVE-2021-34527 and dubbed PrintNightmare, occurs when the Windows Print Spooler service improperly performs privileged file operations. The flaw can be exploited remotely and would allow an attacker to execute arbitrary code with SYSTEM privileges. Successful exploitation would allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. According to Microsoft, an attack must involve an authenticated user calling RpcAddPrinterDriverEx().

The PoC exploit for the vulnerability was released publicly by the Chinese security firm Sangfor. Under responsible disclosure processes, PoC exploits for vulnerabilities are not publicly released until the affected developer has been notified about a flaw and has time to develop and release a patch to correct the vulnerability. In this case, Sangfor believed that Microsoft had already issued a patch to correct the flaw.

Microsoft had issued a patch to correct a 7.8 severity Windows Print Spooler vulnerability on June 8, 2021; however, that was a different vulnerability tracked as CVE-2021-1675. The patch released by Microsoft does not fully fix the PrintNightmare vulnerability.

“Microsoft has partially addressed this issue in their update for CVE-2021-1675. Microsoft Windows systems that are configured to be domain controllers and those that have Point and Print configured with the NoWarningNoElevationOnInstall option configured are still vulnerable,” said the CERT Coordination Center. With a PoC exploit for PrintNightmare in the public domain and a patch not yet issued, exploitation of the flaw is likely.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert recommending disabling the Windows Print Spooler service in Domain Controllers and systems that do not print to limit the potential for exploitation until such time that Microsoft issues a patch to correct the flaw.

Microsoft has suggested two workarounds: Disabling the Print Spooler service using PowerShell commands or disabling inbound remote printing through Group Policy on all Domain Controllers and Active Directory admin systems. Microsoft has recommended disabling the Print Spooler service on all servers that are not required to print to prevent any future attacks exploiting as of yet unknown vulnerabilities.

On July 2, 2021, 0Patch released a micropatch to fix the flaw until an official patch is released by Microsoft:

“Our patches will be free until Microsoft has issued an official fix. If you want to use them, create a free account at https://t.co/wayCdhpc38, then install®ister 0patch Agent from https://t.co/UMXoQqpLQh. Everything else will happen automatically. No restarts needed.”

UPDATE: Microsoft has released a patch to correct the vulnerability – Further information

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news