Windows Print Spooler exploit

A recent exploit with the Windows print spooler subsystem, this subsystem is what allows Microsoft Windows to print documents and such. Microsoft were aware of this exploit and released a fix way back on the 8th June. The fix was classified as CVE-2021-1675 and was labelled as a privilege escalation vulnerability. This means that if exploited, a normal levelled user would be able to gain access and execute code on the system as Administrator, as long as the system was running the print spooler service, which is started by default on all systems.

On the 21st June, the classification of the fix was then raised from a privilege escalation to the more serious remote-code execution vulnerability. This higher-level vulnerability would allow malicious attackers to run code remotely on the device.

Then, on Tuesday 29th June a proof-of-concept exploit for the remote execution of the print spooler vulnerability was uploaded and shared on the GitHub platform by the Shenzhen-based security firm Sangfor Technologies, this was then removed several hours later. However, its been found that people have taken copies (forked) of this proof of concept code and started experimenting with it. It is believed that the people who uploaded the code expected the vulnerability to be fixed with the recent updates from Microsoft, however this was not the case.

The unpatched remote execution vulnerability has now, as always these days, been given a name, this name is: PrintNightmare, and will more than likely require another update or more over the coming weeks from Microsoft.

So, what makes this PrintNightmare so dangerous? The simple fact is that it can be exploited by a malicious or compromised user on any system, this user can then execute malicious code at the highest level – SYSTEM, and have it run on a remote system. The worst-case scenario would be that malicious code could be ran on a domain controller within a business and that could open the door to all sorts of treasure for the malicious people gaining a foothold within the business.

As you can imagine, people who run Windows, usually print a lot, as mentioned the print spooler service starts automatically on all machines, to ensure that printing is as easy as possible, this includes servers. Therefore, until there is a fix released by Microsoft you should be vigilant and ensure that machines are patched fully up to date, your antivirus is up to date and scanning in real time.

How to stay safe?

If you have it in place, you should also look to perform regular vulnerability scans to check your systems for weaker point of entries, you should keep checking your event and system logs. Although this won’t resolve your issues, it may highlight other areas which need resolving.

You should potentially also look at disabling the print spooler service for all machines that don’t need to print, specifically servers and domain controllers.  This would help to limit the exposure and changes of compromise.

There are also some suggestions on how to limit the exposure from Lares Labs’s GitHub page which can be found here:

It has been mentioned that this vulnerability, at time of writing, works on fully patched servers. This exploitation could also be picked up by ransomware authors and have the infection built-in to compromise more systems more easily.