Researchers Briefly Posted PoC for Windows Print Spooler RCE Flaw

File this under “Oops” (or maybe a stronger language equivalent) – for a brief period of time last month researchers at Sangfor published on GitHub a proof of concept (PoC) for a remote code execution (RCE) vulnerability affecting Windows Print Spooler.

Fortunately, Microsoft released a patch for CVE-2021-1675 as part of its June 8, 2021 Patch Tuesday. But given the poor patching habits that abound and the fact that, according to CERT Coordination Center Vulnerability Analyst Will Dormann, Microsoft’s update does not “address the public exploits that also identify as CVE-2021-1675,” the vulnerability poses a global threat. That explains the likely cursing when Sangfor’s researchers inadvertently published the PoC code, which they had planned to publicly review at the upcoming Black Hat conference in Las Vegas.

Microsoft warned when it released the patch that attackers could either exploit “the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH)” or rely on “user interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).”

Dormann said if users have the Print Spooler service enabled, “any remote authenticated user can execute code as SYSTEM on the domain controller.”

Indeed, “details about this vulnerability continue to emerge. After being originally documented as an elevation of privilege (EoP) vulnerability, research now suggests that it can also enable remote code execution (RCE),” said Adam Cook, cyber threat intelligence analyst at Digital Shadows. “This increases the severity of the vulnerability, as an attacker can use it to both gain remote access and take control of the Active Directory.”

Sangfor principal security researcher Zhiniang Peng took to Twitter to say the company deleted the PoC of the vulnerability it dubbed “PrintNightmare.”

That’s cold comfort, though, since the damage might already be done. “The PoC exploit that was published accidentally was cloned before its removal from GitHub,” Cook explained. “This makes it highly likely that the exploit will be made available elsewhere and that threat actors will attempt to exploit the vulnerability in the short-term future, [within the] next one to three months.”

Because the Windows Print Spooler service runs by default on Windows domain controllers, Cook said “any Windows devices with the Print Spooler service enabled are at risk of compromise” and a successful exploitation “would enable attackers to take control of the entire Active Directory on the target network.”

Andrew Barrat, managing principal, solutions and investigations, at Coalfire, also pointed out the glaring problem with “the print spool software exist[ing] on practically every Windows box in the wild” that hasn’t been well-hardened. “The interesting issue with this print spool vulnerability is that it gives a huge attack surface for criminals to go after,” he said.

“The other challenge is that whilst printing is not necessarily a digital transformation de rigueur, it exists practically everywhere,” Barratt said. “The old days of on-premises servers were usually known by the ‘file and print’ moniker, so ubiquitous were the two. So, there will be an urgency to get this resolved, not least of which because there will almost certainly be adversarial paths that lead to this being leveraged as part of wider, more sophisticated intrusions.”

Other security pros agree that there will be wider implications. “There are 40 entries in Microsoft’s list of affected products, from Windows 7 to Windows 10 and from Server 2008 to Server 2019,” said Dirk Schrader, global vice president, security research, New Net Technologies, who noted given that broad surface, it’s likely the Print Spooler flaw will find itself part of the tool chain used by current malware families.

“Its vulnerability vectors state a low complexity with no privileges required, however, user interaction is needed and works locally,” said Schrader. “Therefore, being chained into the sequence of a malware attack is likely a good use from an attacker’s perspective.”

Dormann urged users in a tweet to ”Stop and disable the service on any DC now!”

If that’s not viable, Cook said, other available fixes “include running a PowerShell script to restrict access control lists (ACLs), as documented by researchers at Truesec,” to “prevent compromised accounts with elevated privileges from modifying driver directories.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson