Microsoft patches PrintNightmare vulnerability

Microsoft patches PrintNightmare vulnerability

Microsoft has patched PrintNightmare, a severe remote code execution (RCE) vulnerability that affects the Windows Print Spooler service under active attacks in the wild.

Last week researchers posted Proof of Concept (PoC) code for PrintNightmare that can be used to exploit a Windows Print Spooler service remote code execution (RCE) vulnerability CVE-2021-1675.

However, Microsoft issued an updated vulnerability CVE-2021-34527 directly assigned to PrintNightmare and noted “CVE-2021-1675 is similar but distinct from CVE-2021-34527.”

The PrintNightmare bug exists when the Windows Print Spooler service improperly performs privileged file operations. As a result, an attacker could exploit and run arbitrary code with SYSTEM privileges. Moreover, actors could then install programs, create new accounts, and view, change, or delete data on affected systems.

Microsoft issued the updated advisory on July 6, 2021 after completing the investigation into PrintNightmare.

Researchers Zhiniang Peng and Xuefeng Li previously published details on PrintNightmare PoC on GitHub with recent updates on July 4. To test the exploit, users will need to first install Impacket via GitHub and then review the provided Python script ‘CVE-2021-1675.py’ for details.

Users can also leverage Samba to host payloads by modifying /etc/samba/smb.conf to allow anonymous access. Windows servers can also be modified to allow similar anonymouse access by executing a series of file and folder ACL changes, as well as regex changes.

According to a CERT Coordination Center (CERT/CC) alert, Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function. The RpcAddPrinterDriverEx() function is used to install a printer driver on a system.

Related Articles