A flaw originally believed to be a low-level privilege escalation vulnerability in Windows Print Spooler service is causing alarm across the information security community after further research has found it also leaves domain controllers susceptible to remote code execution.
The vulnerability, dubbed “PrintNightmare,” allows an attacker to inject a malicious dynamic link library into domain controllers with print spooler enabled (the default setting). The flaw doesn’t rate as particularly high on the CVSS scale for severity, clocking in at a base score of 7.8, and was initially rated even lower. Microsoft upgraded it after multiple security teams published further research showing the vulnerability could be used to remotely execute code.
A write up by Claire Tills, a senior research engineer at Tenable, lays out the timeline: on June 21, a team composed of researchers Zhipeng Huo of Tencent Security’s Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab made the initial discovery. Six days later, another team from Chinese security firm QiAnXin posted evidence indicating that they too were able to exploit the vulnerability to achieve remote code execution. After that, a third group of researchers from Sangfor posted a full technical write-up of the attack on GitHub with proof of concept exploit code, which they said they were initially planning to reveal at the Tianfu Cup, an annual international hacking contest held in China.
“We also found this bug before and hope[d] to keep it secret to participate [in] Tianfu Cup,” the researchers wrote. “As there are some people [who have] already published exploit video of CVE-2021-1675, here we publish our writeup and exploit for [the flaw].”
That GitHub post was taken down just hours after it went up, but by then the cat was out of the bag.
“Unfortunately, the GitHub repository was publicly available long enough for others to clone it, Tillis wrote. “The PoC is likely still circulating and is likely to resurface publicly, if it hasn’t already done so.”
There is some confusion about whether the patch does or does not protect against this flaw, since the original Microsoft update in June was designed to address a lower-level local access privileges issue. At least one security researcher told SC Media that patch was not designed to prevent DLL loading attacks like those demonstrated in the research and is still vulnerable to RCE attacks.
A Tenable spokesperson told SC Media that since there has been speculation and debate in the wake of the disclosures about whether the June patch does or does not protect against remote code execution, they are holding off on further comment until Microsoft responds.
David Kennedy, founder and CEO of TrustedSec, told SC Media his company has tested the exploit against a fully patched system with the June updates and it was successful. SC Media has reached out to Microsoft for comment.
Rob Fuller, a long-time security researcher who served as a technical consultant for HBO’s Silicon Valley, tweeted that the vulnerability doesn’t just affect domain controllers but “all servers and endpoints” with print spooler enabled. He expanded on that point in a follow up direct message to SC Media.
“It's remote code execution or local privilege escalation in any Windows system (server or workstation) that is running the Spooler service,” he wrote. “It does require authentication, so if you and I were on the same network you couldn't exploit me without an account, but Active Directory allows any user to authenticate to any other system (even if it doesn't give them access to anything like RDP or file shares). The Spooler service is one such service that everyone has access to, so it's completely valid against any server.”
Fuller said he has not seen other researchers publish exploit code publicly because he is assuming “most people who have figured out the change to get around the patch are ethical and want a new patch to roll out before talking about the details publicly, but it is not a super hard modification.”
Domain controllers are the servers that handle authentication requests and verify user identities. They help determine which users and devices have access to what on a network. It also serves as a gateway to Microsoft’s Active Directory service, which gives IT administrators -- or an attacker -- the ability to manage large parts of the network. Someone who can compromise a domain controller has, as Varonis’ Jeff Peters put it last year, “the box that holds the keys to the kingdom – Active Directory.”
Kennedy said Windows print spooler is broadly used across industry and other sectors.
“I would say the printer spooler service is predominant in almost every organization that we go into, so it’s going to be everybody [that’s potentially affected], for the lack of a better term,” he said.
Until a patch comes out, Kennedy and others are advising organizations to disable the print spooler option completely. Contrary to perceptions, Kennedy said print spooler doesn’t affect management of printing within Active Directory, and turning it off won’t prevent organizations from printing. He also recommended focusing detection efforts on signs of remotely imported dynamic link libraries or indications that the spooler service is spawning Command.exe or PowerShell.exe, another major signs of ongoing unusual or malicious behavior.
In an update July 1, Microsoft said it was aware of the remote code execution vulnerability, assigned it a new CVE number and said they were further investigating. In a section describing the impact of the workaround, the company said disabling spool printer would in fact disable the ability to print locally or remotely. After publication, Donald Marovich, an IT specialist at the Maricopa County Clerk of the Superior Court, confirmed to SC Media that a test they conducted disabling print spooler on 64-bit Windows 10 Enterprise 64 did in fact disable the ability to print.
While the flaw is severe, you’re not likely to see it used indiscriminately, because exploiting the vulnerability doesn’t get your foot in the door of a victim network -- an attacker would need to already be an authenticated user to make use of it. However, it can make an existing breach much worse and dramatically simplifies the attack chain for a threat actor to follow, from phishing to get initial user access to exploiting Print Spooler to executing code on the domain controller and accessing Active Directory.
Because of that, as well as the dissemination of exploit code already floating around on the internet, it could become another tool for speedy lateral movement by criminal hackers.
“We’re going to see this used by adversaries very soon and we’ve seen that historically before in the past with these different organized crime groups like ransomware,” said Kennedy. “So expect ransomware groups to be using this today, tomorrow, very shortly in their campaigns when they go after organizations.”
Note: This story has been updated to include comment from Microsoft and new details about the impact of disabling the Print Spooler.