Microsoft has patched PrintNightmare, a severe remote code execution (RCE) vulnerability that affects the Windows Print Spooler service under active attacks in the wild.
However, Microsoft issued an updated vulnerability CVE-2021-34527 directly assigned to PrintNightmare and noted “CVE-2021-1675 is similar but distinct from CVE-2021-34527.”
The PrintNightmare bug exists when the Windows Print Spooler service improperly performs privileged file operations. As a result, an attacker could exploit and run arbitrary code with SYSTEM privileges. Moreover, actors could then install programs, create new accounts, and view, change, or delete data on affected systems.
Microsoft issued the updated advisory on July 6, 2021 after completing the investigation into PrintNightmare.
Researchers Zhiniang Peng and Xuefeng Li previously published details on PrintNightmare PoC on GitHub with recent updates on July 4. To test the exploit, users will need to first install Impacket via GitHub and then review the provided Python script ‘CVE-2021-1675.py’ for details.
Users can also leverage Samba to host payloads by modifying /etc/samba/smb.conf to allow anonymous access. Windows servers can also be modified to allow similar anonymouse access by executing a series of file and folder ACL changes, as well as regex changes.
According to a CERT Coordination Center (CERT/CC) alert, Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function. The RpcAddPrinterDriverEx() function is used to install a printer driver on a system.
- PrintNightmare: Windows Print Spooler service RCE vulnerability exploit code
- Microsoft June 2021 Security Updates includes fixes for 6 zero-day vulnerabilities
- PoC exploit code released for Windows wormable RCE (CVE-2021-31166)
- New PoC exploits SMBv3 vulnerability on unpatched systems
- Egregor Ransomware targets retail giant Cencosud, prints ransomware notes