CVE 2021–1675, also known as PrintNightmare is a Windows Print Spooler Elevation of Privilege Vulnerability. It has a Severity Base Score of 7.8 (HIGH) and allows for Remote Code Execution in the Windows Spooler Service (spoolsv.exe). According to MSRC security bullion, this vulnerability is reported by Zhipeng Huo, Piotr Madej, and Zhang Yunhai. The PrintNightmare vulnerability can provide full domain access to a domain controller under a system context, such as taking advantage of a default configuration feature on Domain Controllers (DCs). In order to use this exploit, it requires that you authenticate as a domain user, which applies to all Windows Server versions from Windows Server 2008–2019, including Windows 10.
There are already multiple PoC available on Github which provides information on how to use it, for example, afwu/PrintNightmare.
Background
On June 8, 2021, a patch for the vulnerability CVE-2021–1675 (discovered by researchers from Tencent Security, AFINE, and NSFOCUS) was released as part of June 2021 Patch Tuesday. Initially, this was described as a low severity elevation of privilege vulnerability.
On June 21, Microsoft updated this vulnerability to critical severity, stating that there was the potential for remote code execution (RCE).
On June 28, researchers from QiAnXin tweeted a GIF showing a working exploit for CVE-2021–1675 without disclosing any technical details.
On June 29, PoC exploit code for CVE-2021–1675 was uploaded to GitHub by security research firm Sangfor, presumably by mistake as the code was removed a few hours later. The exploit code was cloned while it was publicly available and is now widely available online. Exploit code for this vulnerability targeting Active Directory domain controllers, is referred to as “PrintNightmare”.
Exploitation
The exploitation of CVE-2021–1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain. A list of Tenable plugins to identify this vulnerability can be found here.
The Microsoft Windows print spooler service (which is enabled by default on all Windows systems) fails to restrict access to the RpcAddPrinterDriverEx() function which is used for installing a printer driver on a system. This can allow a remote, authenticated attacker to execute malicious code with SYSTEM-level privileges on vulnerable systems.
