Researchers have posted Proof of Concept (PoC) code dubbed PrintNightmare used to exploit a Windows Print Spooler service remote code execution (RCE) vulnerability CVE-2021-1675.
Although Microsoft released an update for CVE-2021-1675 last month, researchers were recently able to demonstrate how the PrintNightmare PoC could execute malicious DLL’s remotely or locally on a fully patched 2019 Domain Controller.
Researchers Zhiniang Peng and Xuefeng Li published details on PrintNightmare PoC on GitHub with recent updates on July 1. To test the exploit, users will need to first install Impacket via GitHub and then review the provided Python script ‘CVE-2021-1675.py’ for details.
Users can also leverage Samba to host payloads by modifying /etc/samba/smb.conf to allow anonymous access. Windows servers can also be modified to allow similar anonymouse access by executing a series of file and folder ACL changes, as well as regex changes.
According to a CERT Coordination Center (CERT/CC) alert, Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function. The RpcAddPrinterDriverEx() function is used to install a printer driver on a system.
As a result, a remote authenticated attacker could execute arbitrary code with SYSTEM privileges on a vulnerable Windows system.
Unfortunately, CERT and the researchers confirmed there is no practical solution to the issue. However, system administrators can stop or disable the Print Spooler service until a long term patch is available.