PoC Exploit Circulating for Critical Windows Print Spooler Bug

A proof-of-concept for a critical Windows security vulnerability that allows remote code execution (RCE) was dropped on GitHub on Tuesday – and while it was taken back down within a few hours, the code was copied and is still out there circulating on the platform.

The bug (CVE-2021-1675) exists in the Windows Print Spooler and has been dubbed “PrintNightmare” by researchers. It was originally addressed in June’s Patch Tuesday updates from Microsoft as a minor elevation-of-privilege vulnerability, but the listing was updated last week to “critical” status after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.

On Sunday, the QiAnXin security team tweeted a video showing successful RCE – but it held back any technical or PoC details. Two days later, though, a full-blown PoC with a complete technical analysis appeared on GitHub, authored by another security firm, Sangfor.

Claire Tills, senior security engineer with Tenable, which spotted the PoC posting, noted that “the GitHub repository was publicly available long enough for others to clone it. The PoC is likely still circulating and is likely to resurface publicly, if it hasn’t already done so.”

And indeed, according to one security practitioner, the code was successfully forked to another page.

Looks like the original PoC for PrintNightmare (CVE-2021-1675) got deleted but someone has forked it since https://t.co/8MiP62SlzC

— Andy Gill (@ZephrFish) June 29, 2021

On Wednesday, other researchers tweeted videos and more analysis that could be used for successful exploitation as word spread of the PoC.

Impacket implementation of CVE-2021-1675 🔥https://t.co/UpKOueij4c

— Cube0x0 (@cube0x0) June 29, 2021

PrintNightmare: Full Remote Takeover

Successful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. However, to achieve that requires a targeted user to be authenticated to the spooler service.

“This vulnerability can provide full domain access to a domain controller under a SYSTEM context,” said Marius Sandbu, guild lead for public cloud at TietoEVRY, in a Wednesday writeup. “To be able to use this exploit it requires that you authenticate as a domain user.”

Tenable’s Tillis added, “Based on the information available, an attacker with a low-level user account could exploit this vulnerability…and pivot to other areas of the target network. The low-level account could be obtained via an additional vulnerability or even a phishing attack.”

“Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain,” Tillis noted.

The team at Sangfor (researchers Zhiniang Peng and Xuefeng Li) said in their GitHub posting (the copied version is here) that in the Domain Controller (DC) environment, the Print Spooler service is normally enabled, so the compromise of any DC user could likely result in RCE.

It should be noted that some sources are also saying that the existing Microsoft patch doesn’t remedy the RCE version. Cube0x0’a impacket implementation works on a fully patched Windows machine, the authors said. Threatpost has reached out for insights to security researchers and will update this post accordingly.

“It should be noted that most endpoints will be safe from this attack with the built-in Windows Firewall default rules,” Sandbu said.

More Print Spooler Bugs and Exploits Coming Soon

They also claimed to have found “more hidden bombs” in Print Spooler, which they plan to unveil at Black Hat in August.

“Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets,” Tillis noted in the Tenable writeup on Tuesday. “Most notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. More recently, CVE-2020-1337 was a zero-day in print spooler disclosed at last year’s Black Hat and DEF CON events, which happened to be a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.”

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!