This article is more than 1 year old

Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller

Kill this service immediately

An infosec firm accidentally published a proof-of-concept exploit for a critical Windows print spooler vulnerability that can be abused by rogue users to compromise Active Directory domain controllers.

How this happened is a little messy. Rewind to June 8's Patch Tuesday, and Microsoft issued a fix for CVE-2021-1675, which was labeled a privilege-escalation vulnerability. This security hole could be exploited by a normal user to execute code as an administrator on a system running the print spooler service. Then on June 21, with no explanation, that classification was upped by Microsoft to a more serious remote-code execution vuln.

A group of security researchers, upon seeing that the bug had been upgraded in severity, decided they may as well release their proof-of-concept exploit for a remote-code execution hole in the print spooler service, presumably thinking it was now patched. But it wasn't patched. The exploit code they released targets a bug that's similar to but not quite CVE-2021-1675, and now it's out in the wild for miscreants to use to commandeer networks. That unpatched bug has been dubbed PrintNightmare, and will likely need a separate update from Microsoft to fully address it.

PrintNightmare can be exploited by a malicious or compromised authenticated user to execute code at the SYSTEM level on a remote domain controller via the vulnerable Windows Print Spooler service running on that box. That's bad news. Like CVE-2021-1675, PrintNightmare may affect more than just domain controllers. Any Windows installation running the vulnerable print spooler service may potentially be at risk; domain controllers are a more valuable target, however.

Informed infosec people on Twitter have suggested sysadmins should disable the Windows print spool service as an immediate mitigation for PrintNightmare.

Matthew “Hacker Fantastic” Hickey told The Register: "In my opinion this is the most significant incident to happen to Windows enterprise systems this year and people need to prioritize disabling the print spooler service on domain controllers and mission critical servers to prevent exploitation of this issue.

He told us the exploit works "on a fully patched and updated (as of yesterday) Windows 2019 domain controller," as seen on Hickey's posted screenshot of his test system with "the exploit being used."

He added: "It works from any domain user to exploit any network server using the print spooler service, which is enabled by default on domain controllers.

"Ransomware gangs will be quick to use this in their attacks and previously compromised low-value desktops could be used to take control of the entire Windows estate using this bug to then deliver their malware."

Martin Lee, technical lead at Cisco Talos, said: "Exploits such as this underline how important it is to both securely authenticate users and be in a position to identify unusual network activity.

"Escalation of privilege vulnerabilities continue to be discovered, meaning that we must ensure that lost or stolen credentials cannot be used on their own to authenticate a user to a domain.

"Equally, security teams need to be equipped with the tools that allow the identification and triage of unusual network activity. An unprivileged user uploading a new printer driver to the print server isn't an everyday occurrence and should raise suspicions."

Code was prematurely revealed

Once the proof-of-concept exploit code for PrintNightmare was shared on GitHub by its authors – the Shenzhen-based infosec firm Sangfor Technologies – earlier this week, it was forked and copied by miscreants.

Sangfor was due to present at Black Hat USA a set of closely related vulns, with its presentation summary on the Black Hat website stating: "We started to explore the inner working of Printer Spooler and discovered some 0-day Bugs in it. Some of them are more powerful than PrintDemon and easier to exploit, and the others can be triggered from remote which could lead to remote code execution."

The team took down its code pretty quickly after sharing it. Last time we looked, it was available in the Google Search cache, and searching for the CVE number on Twitter and other social media returns links to the cached version of the code, forks, and more, though.

If you haven't installed the latest batch of Windows updates on your system, do so now and disable the print spool service. Depending on your configuration, the June 8 patch may or may not thwart PrintNightmare; it's not entirely clear, as this Twitter thread by Mimikatz creator Benjamin Delpy demonstrates. Switching off the spool service entirely, and installing the June patches is the best course of action right now.

We have asked Microsoft when a fresh patch will be available, and we have also asked Sangfor to comment. ®

Editor's note: This article was revised after publication to include a timeline of PrintNightmare's disclosure.

More about

TIP US OFF

Send us news


Other stories you might like