On July 3rd, a security researcher known by the nickname cube0x0 tweated that he was able to exploit the MS-PAR protocol (Print System Asynchronous Remote Protocol) too, using the RpcAsyncAddPrinterDriver call which is similar to RpcAddPrinterDriverEx and also allows loading drivers remotely to the target machine.Īlthough both the MS-RPRN and MS-PAR protocols are vulnerable to this exploit, MS-PAR requires less constrains for the exploitation to be successful.
Said driver could, for example, create an administrative account on the victim server, or deploy malware. By manipulating two of the parameters used by RpcAddPrinterDriverEx, a remote unprivileged user could specify their own driver DLL be installed. Unfortunately, RpcAddPrinterDriverEx has a logical bug that allows users who are not part of the Administrators or Print Operators groups to bypass authorization and load drivers to the remote system. This right is granted by default only for members of the Administrators or Print Operators group.
The RCE vulnerability is within the RpcAddPrinterDriverEx call, part of the MS-RPRN protocol (Print System Remote Protocol) and allows remote driver installation by users with the SeLoadDriverPrivilege right.
When a certain non-default configuration is set the patch can be bypassed to gain both RCE and LPE. Then it was discovered that this patch does not provide complete protection either.
Microsoft released an out-of-band security update on July 6th, to address CVE-2021-34527 for some of the Windows versions (2019, 2012 R2, 2008 R2, 2008, 10 of version 1703 and above, 8.1, 7), and on July 8th for the remaining versions as well (2016, 2012, Windows 10 version 1607). Microsoft assigned a new ID of CVE-2021-34527 to the vulnerability on July 1st with the statement that though it was similar to CVE-2021-1675 it was actually another vulnerability in the same Print Spooler API call. This led to it being included in tools like the well-known Mimikatz tool. Although the researchers deleted their PoC from GitHub, it had already been forked and lead to many more public PoCs. The PoC was found to be effective against servers patched with June 2021 updates under certain circumstances, including domain controllers running with default configurations. Unfortunately we now know the vulnerability exploited by the PoC was not, CVE-2021-1675. Then on June 21st, Microsoft changed the classification after it was discovered that the flaw allows (RCE) as well. Initially it was classified as a low severity vulnerability allowing Local Privilege Escalation (LPE). Microsoft addressed a Print Spooler vulnerability assigned with CVE-2021-1675 as part of the June 2021 security updates. There are questions as to how this happened. They went on to share their findings on the vulnerability, indicating that it was CVE-2021-1675.
Supposedly after revealing the vulnerability details to Microsoft nearly a year ago and believing it had since been resolved, security researchers Zhipeng Huo, Piotr Madej and Yunhai Zhang, decided to publish their work, including a proof-of-concept (PoC). It took Microsoft about 10 days to release security patches for all Windows versions against this vulnerability and these patches are effective under certain circumstances which I will cover later. Since this vulnerability essentially enables any user/person on the internal network to fully compromise the domain by exploiting a domain controller, it has rapidly escalated to critical status, and requires an immediate response from organizations. A service that is enabled by default on all Windows machines, a Remote Code Execution (RCE) vulnerability capable of being used to attack any Server or Workstation with the Print Spooler service enabled. “PrintNightmare” is a recently discovered vulnerability in the Print Spooler Windows service.