A series of unfortunate events
Proof-of-concept (PoC) exploit code has been accidentally released for a previously-unknown bug in the Microsoft Windows Print Spooler.
Researchers from Sangfor, a Chinese technology company, are due to present a paper at Black Hat USA on August 4 exploring local privilege escalation (LPE) and remote code execution (RCE) vulnerabilities in Windows Printer based on prior research into the ancient PrintDemon bug, resolved in 2020.
“Although security researchers in the industry have been looking for bugs in Spooler for more than a decade, this year, security researchers at Sangfor discovered multiple zero-day vulnerabilities in Spooler,” the company said.
One of the vulnerabilities due to be discussed, tracked as CVE-2021-1675 and issued with a CVSS score of 7.8, is a critical Print Spooler bug that was included in Microsoft’s latest Patch Tuesday, published on June 8.
On June 21, Microsoft revised its previous assessment that the vulnerability was only a privilege escalation issue, upgrading it to an RCE. Credit for finding the issue was given to researchers from Tencent Security Xuanwu Lab, AFINE, and NSFOCUS TIANJI Lab.
On June 27, Chinese cybersecurity firm QiAnXin published a video demonstrating both LPE and RCE.
As the vulnerability had been publicly upgraded to an RCE and a patch had been issued, Sangfor security researcher Zhiniang Peng then tweeted a link to Sangfor’s own PoC code and a technical write-up for the bug ahead of their Black Hat presentation.
However, it appears the vulnerability the PoC relates to – now dubbed “PrintNightmare” – is actually a zero-day that is yet to be patched by Microsoft, and not the vulnerability demoed in QiAnXin’s video.
After the code was uploaded to GitHub, the researchers quickly realized their mistake and pulled the PoC, but it was already too late – the exploit had been cloned, forked, and cached.
“We deleted the PoC of PrintNightmare,” Peng commented on Twitter. “To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service.”
The vulnerability is in the RpcAddPrinterDriver call function of the spooler. If a malicious driver is loaded in a vulnerable server, this can grant attackers system-level privileges as long as they can authenticate to the service.
Rapid7 researchers have confirmed that the public exploits work against fully patched Windows Server 2019 builds.
“The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core,” Rapid7 says. “Therefore, it is expected that in the vast majority of enterprise environments, all domain controllers, even those that are fully patched, are vulnerable to remote code execution by authenticated attackers.”
Analysis is ongoing.
It is likely that Microsoft will need to address the RCE element of the vulnerability separately, potentially in an out-of-band patch. Until then, CERT/CC recommends that the Print Spooler service is stopped and disabled.
CISA has also issued an alert.
The Daily Swig has reached out to Microsoft with additional queries and we will update when we hear back.