The PrintNightmare

The PrintNightmare

As a security researcher, I used to search for new exploits and vulnerabilities daily or more often.

In the past few days, I have been sighting “ PrintNightmare” more often on Twitter and Reddit. That made me curious, and I was digging up more onto it. After some research, I came to know that it is a 0-day bug that was misunderstood to be fully patched but not.

PrintNightmare was initially described as CVE-2021-1675 as low elevation of local privilege escalation (LPE) vulnerability by Microsoft during the June 8th patch update. But things changed on June 21, when Microsoft changed the CVE-2021-1675 to ”Critical” as this leads to Remote Code Execution (RCE) attacks.

An RCE attack happens when an attacker accesses and manipulates a system/server without authentication from its owner.

The printer Spooler bug has a history as it was used in “Stuxnet” an ICS malware found in 2010, a dangerous worm that created vast damage to the nuclear plants of Iran by affecting more than 45000 networks.

A proof-of-concept (POC) for a critical windows security vulnerability that allows RCE and LPE attack was released on Twitter by a Chinese security researcher Zhiniang Peng but was taken down later. But soon the PoC was forked in Github and started spreading widely with an updated version of the original POC. You can find the copy of the original PoC here – https://github.com/afwu/PrintNightmare/

If remote adversaries can bypass the authentication of RpcAddPrinterDriver, this could lead to the installation of a malicious driver in the print server. The flaw is in RpcAddPrinterDriver, a service that allows remote printing and installs drivers. Print Divers can create a big mess as they have full code execution as SYSTEM. The function will allow users with “SeLoadDriverPrivilege” by default administrators and Print Operators can add drivers to a remote Print Spooler.

PrintNightmare has affected Windows 7 to Windows 10 and from Server 2008 to Server 2019. The most dangerous is that it can affect Active Directory domain controllers because PrintSpooler is enabled by default. Domain control takeovers are a real nightmare for organizations as this will widely affect the business-critical data and also financially.

Hacker Fantastic posted a tweet where he shows a fully patched Windows 2019 Domain Controller was exploited easily by CVE-2021-1675 by a regular domain user account which is scary. This could also lead to Ransom attacks which are widely happening in recent times. At first, PrintNighmare was addressed as CVE-2021-1675 but after the severity, it was updated to CVE-2021-34527

PrintNightmare has been added to WinPwn and Automation for internal Windows Penetration testing.

Temporary mitigation for PrintNightmare – (CVE- 2021-1675) :

  • Update/patch your systems to the most recent version right away.
  • Disable print spooler service on unnecessary systems and servers
  • Create a Deny rule for the driver’s directory and all subdirectories, which will prevent the SYSTEM account to modify its contents