Microsoft is also referring to PrintNightmare as CVE-2021-34527, describing CVE-2021-1675 a different vulnerability in
RpcAddPrinterDriverEx that was patched in the June 8th update. CVE-2021-34527 remains unpatched at this time.
Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370) recently posted details on a new vulnerablility affecting the Print Spooler service in Windows, leading to LPE and RCE. They also hinted at more Spooler vulnerabilities coming in this years BlackHat talk!
RpcAddPrinterDriver function in the Print Spooler service allows users with certain privileges (
SeLoadDriverPrivilege), to add drivers to a remote Print Spooler.
Due to a logic flaw in the Print Spooler service, users without these permissions can still add a driver, which can result in LPE/RCE (execution of any DLL) on the affected machine running the Print Spooler service!
This means that any low-privilege user account in a domain could gain LPE/RCE on the Domain Controller if it was running the Print Spooler service!
RpcAddPrinterDriver we supply a few arguments:
Spooler service will check to validate that
pDriverPath are not UNC paths. It DOES allow
pConfigFile to be a UNC path. If we set
pConfigFile to an malicious DLL file on the network, Spooler will copy the malicious DLL file into
RpcAddPrinterDriver once again, we can set
pDataFile to the malicious DLL we copied in the previous call with the
pConfigFile argument, and the driver will be loaded.
There may be a copy conflict during the second call so the exploit implementation may loop through to gather a list of valid drivers, or simply pick the first one in the list to replace.
When exploiting this in customer environments during our red team engagements, I'd personally opt for the C# implementation, since you can use it with CS or other C2 frameworks using the
- SharpPrintNightmare (by cube0x0) ⭐️
- Impacket Implementation (by cube0x0)
- PowerShell Implementation (by @calebjstewart and @_johnhammond)
- Original PoC
Disable the Print Spooler service on any server in your environment that is not a print server or a Domain Controller.
- Reference the full security guidelines for Windows Services here.
- Microsoft Defender for Idenity reports DC with Print Spooler services enabled as a "High" risk.
CVE-2021-1675 was "patched" in the June 8th updates, but CVE-2021-34527 remains unpatched and the only known mitigation strategy is to:
Disable the Print Spooler Service (either command below)
Stop-Service Spooler REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f
Please consider which machine(s) you are disabling Print Spooler on and if you will end up breaking printing in your environment!
More, more, more!
Here are some other great reads and compilations about the PrintNightmare vulnerability: