As a security researcher, I used to search for new exploits and vulnerabilities daily or more often.
In the past few days, I have been sighting “ PrintNightmare” more often on Twitter and Reddit. That made me curious, and I was digging up more onto it. After some research, I came to know that it is a 0-day bug that was misunderstood to be fully patched but not.
PrintNightmare was initially described as CVE-2021-1675 as low elevation of local privilege escalation (LPE) vulnerability by Microsoft during the June 8th patch update. But things changed on June 21, when Microsoft changed the CVE-2021-1675 to ”Critical” as this leads to Remote Code Execution (RCE) attacks.
An RCE attack happens when an attacker accesses and manipulates a system/server without authentication from its owner.
The printer Spooler bug has a history as it was used in “Stuxnet” an ICS malware found in 2010, a dangerous worm that created vast damage to the nuclear plants of Iran by affecting more than 45000 networks.
A proof-of-concept (POC) for a critical windows security vulnerability that allows RCE and LPE attack was released on Twitter by a Chinese security researcher Zhiniang Peng but was taken down later. But soon the PoC was forked in Github and started spreading widely with an updated version of the original POC. You can find the copy of the original PoC here – https://github.com/afwu/PrintNightmare/
If remote adversaries can bypass the authentication of RpcAddPrinterDriver, this could lead to the installation of a malicious driver in the print server. The flaw is in RpcAddPrinterDriver, a service that allows remote printing and installs drivers. Print Divers can create a big mess as they have full code execution as SYSTEM. The function will allow users with “SeLoadDriverPrivilege” by default administrators and Print Operators can add drivers to a remote Print Spooler.