CVE-2021-34527 PrintNightmare

CVE-2021-34527 PrintNightmare

Introduction

Whilst originally thought to be a local privilege escalation vulnerability in the Windows Print Spooler, identified as CVE-2021-1675 and patched during Microsoft's June Patch Tuesday, Microsoft increased the severity of this issue on June 21 as well as reclassifying it as a 'remote code execution' (RCE) threat.

To prevent confusion, this RCE vulnerability has been assigned a new identifier, CVE-2021-34527, as well as the CVSS score of '8.8' rather than being linked to the lower CVSS score of '7.8' assigned to CVE-2021-1675.

Following the release of a fix for the initial issue, a group of security researchers publicly released proof-of-concept (PoC) code for what they thought was the same vulnerability.

As it happens, their PoC was in fact for a different threat that, as of July 3, has not been fixed and would allow an authenticated domain user to remotely escalate and gain SYSTEM privileges on a vulnerable host.

Realizing their mistake, the PoC code was withdrawn although, as is to be expected, it had already been copied and modified leading to multiple examples resurfacing on code sharing repositories as well as undoubtedly falling into the hands of a variety of threat actors.

As such, this vulnerability poses a serious and viable threat to organizations, and individuals, using all currently supported versions of Windows until such time that Microsoft release an update.

Whilst no firm date for a fix has been provided, July's Patch Tuesday is scheduled for July 12.

Given the unfortunate series of events leading up to this issue, the vulnerability has been dubbed 'PrintNightmare'.

Impact

Having been upgraded from a local elevation of privilege vulnerability to a remote code execution (RCE) threat, exploitation requires the threat actor to have access to a domain-connected user account within the target network, be that a malicious insider or compromised account.

Subsequently, a threat actor utilizing their own exploit, or using/modifying the proof-of-concept (PoC) code, with both an executable [1] and Python-based [2] version being available on GitHub, would be able to escalate the privileges of their domain user account and gain SYSTEM privileges on any targeted vulnerable host.

Those looking to exploit this vulnerability would likely perform an initial scan of the victim network, with one PoC suggesting the use of rpcdump.py, a script from SecureAuth's 'Impacket' project [3], to locate hosts responding to the Microsoft Print System Remote Protocol (MS-RPRN).

Having found a vulnerable print server, the threat actor can use an authenticated user account to execute code that calls the RpcAddPrinterDriverEx() function, typically used to install printer drivers, and then presumably load a malicious dynamic link library (DLL) that exploits the vulnerability.

Whilst CVE-2021-1675 also addressed a flaw in this printer driver function, Microsoft state that this vulnerability is 'similar but distinct' as well as having a different attack vector.

Concerningly, Microsoft report that 'all versions of Windows' are affected, across multiple architectures and releases, with the following being explicitly listed:

  • Windows Server 2008 SP2 (32-bit & x64) (including Server Core installation)
  • Windows Server 2008 R2 SP1 (x64) (including Server Core installation)
  • Windows Server 2012 (including Server Core installation)
  • Windows Server 2012 R2 (including Server Core installation)
  • Windows Server 2016 (including Server Core installation)
  • Windows Server 2019 (including Server Core installation)
  • Windows Server, versions 1909, 2004 & 20H2 (Server Core installation)
  • Windows 7 SP1 (32-bit & x64)
  • Windows 8.1 (32-bit & x64)
  • Windows RT 8.1
  • Windows 10 (32-bit & x64)
  • Windows 10, version 1607 (32-bit & x64)
  • Windows 10, versions 1809, 1909, 2004, 20H2 & 21H1 (32-bit, ARM64 & x64)

Although not mentioned, it is likely that unsupported versions of Windows are also vulnerable and these will presumably not be patched by Microsoft.

Also worthy of mention, RCE vulnerabilities are often utilized by big-game hunter ransomware groups, amongst other threat actors, to elevate their privileges after compromising a standard user account.

Chat with an analyst

DetectioN

Event Logs

Exploitation attempts may generate Event Log entries within:

  • Event Viewer>Applications and Services Logs>Microsoft>Windows>PrintService>Admin

Specifically event ID '808', 'The print spooler failed to load a plug-in module', should log the name of any nefarious dynamic-link library (DLL) that attempts to load as part of the exploit process.

Whilst the name of this DLL may differ, and it would be trivial for the threat actor to change it, the following examples have been observed in PoC code:

  • addCube.dll
  • evil.dll
  • main64.dll
  • mimilib.dll
  • MyExploit.dll
  • rev.dll
  • rev2.dll

Spool Folder

Given the use of the use of the RpcAddPrinterDriverEx() function, dynamic-link library (DLL) files delivered during exploitation may be found in the spool folder, %SYSTEMROOT%\spool\drivers\.

As such, this folder should be reviewed and/or monitored to identify potential indicators of compromise.

Spool Service

Monitoring the spool service, spoolsv.exe, may lead to the identification of suspicious executions such as rundll32.exe being spawned to load a malicious DLL and/or Windows utilities being executed as part of some privilege escalation or nefarious information gathering process.

Those using Microsoft 365 Defender, or similar tools, can take advantage of Microsoft’s predefined queries, as shared on GitHub [4], to hunt for these suspicious processes.

Recommendations

  • Where possible, organizations should consider disabling or removing the printer spooler service on vulnerable hosts to prevent exploitation, especially high-value targets such as domain controllers. Note: Disabling this service will prevent both local and remote printing!
  • Microsoft provide details of an alternate workaround within their security update guide [5] that could facilitate local printing by disabling inbound remote printing via Group Policy. Additionally, this article provides details of a mitigation that involves modifications to group memberships, reducing the attack surface, although this measure likely requires a thorough understanding of the consequences.
  • Organizations concerned about potential exploitation should review the 'PrintService-Admin' event log for event ID '808' to identify any prior exploitation attempt.
  • Threat hunting teams should also consider searching for anomalous activity involving the spoolsv.exe process.

References

[1] https://github.com/afwu/PrintNightmare

[2] https://github.com/cube0x0/CVE-2021-1675

[3] https://github.com/SecureAuthCorp/impacket

[4] https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Exploits/Print Spooler RCE

[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527