A proof-of-concept for a critical Windows security vulnerability that allows remote code execution (RCE) was dropped on GitHub on Tuesday – and while it was taken back down within a few hours, the code was copied and is still out there circulating on the platform.
The bug (CVE-2021-1675) exists in the Windows Print Spooler and has been dubbed “PrintNightmare” by researchers. It was originally addressed in June’s Patch Tuesday updates from Microsoft as a minor elevation-of-privilege vulnerability, but the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE. The patch, according to many, appears to fail against the RCE aspect of the bug.
“There are 40 entries in Microsoft’s list of affected products, from Windows 7 to Windows 10 and from Server 2008 to Server 2019,” Dirk Schrader, global vice president of security research at New Net Technologies (NNT), now part of Netwrix, told Threatpost. “Given this broad surface, it is likely that this vulnerability will become an element in the tool chain of current malware families.”
On Sunday, the QiAnXin security team tweeted a video showing successful RCE – but it held back any technical or PoC details. Two days later, though, a full-blown PoC with a complete technical analysis appeared on GitHub, authored by another security firm, Sangfor.
Claire Tills, senior security engineer with Tenable, which spotted the PoC posting, noted that “the GitHub repository was publicly available long enough for others to clone it. The PoC is likely still circulating and is likely to resurface publicly, if it hasn’t already done so.”
And indeed, according to one security practitioner, the code was successfully forked to another page.
Looks like the original PoC for PrintNightmare (CVE-2021-1675) got deleted but someone has forked it since https://t.co/8MiP62SlzC
— Andy Gill (@ZephrFish) June 29, 2021
Impacket implementation of CVE-2021-1675 🔥https://t.co/UpKOueij4c
— Cube0x0 (@cube0x0) June 29, 2021
It should be noted that some sources are also saying that the existing Microsoft patch doesn’t remedy the RCE version. Cube0x0’a impacket implementation above for instance works on a fully patched Windows machine, the authors said.
“We’re still evaluating the efficacy of the patch ourselves, but there are multiple reports indicating the proof-of-concept code works against fully patched systems,” Dustin Childs, of Trend Micro’s Zero Day Initiative, told Threatpost. “This does indicate the patch released in June does not completely address the root cause of the bug. Either way, enterprises should treat this as an incomplete fix and implement other workarounds, such as disabling the print spooler and blocking TCP ports 135 and 445 at the perimeter.”
He made note of Microsoft’s CVE nomenclature too: “It’s curious that the CVE here is -1675 while most of the CVEs Microsoft patched in June are -31000 and higher. This could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial.”
Ryan Garbars, application security engineer at Automox, told Threatpost that his team was working on replicating the exploit on a patched machine.
“Numerous sources state that the PrintNightmare vulnerability is not CVE-2021-1675, indicating that the most recent Windows patch will not protect against the vulnerability,” he said. “To make sure that their environment is secure from this vulnerability users should disable the Spooler service within their environment, if possible.”
Rapid7 researchers meanwhile noted that they “have confirmed that public exploits work against fully patched Windows Server 2019 installations.”
PrintNightmare: Full Remote Takeover
Successful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. However, to achieve that requires a targeted user to be authenticated to the Spooler service.
“This vulnerability can provide full domain access to a domain controller under a SYSTEM context,” Marius Sandbu, guild lead for public cloud at TietoEVRY, added in a Wednesday writeup, “To be able to use this exploit it requires that you authenticate as a domain user.”
Tenable’s Tillis added, “Based on the information available, an attacker with a low-level user account could exploit this vulnerability…and pivot to other areas of the target network. The low-level account could be obtained via an additional vulnerability or even a phishing attack.”
“The PrintNightmare vulnerability can be utilized to perform local privilege escalation and remote code execution within Windows environments through the Spooler service by exploiting the RpcAddPrinterDriver call, allowing for an arbitrary DLL to be loaded on the remote system, or as an escalated user,” Automox’ Garber told Threatpost. “To exploit the remote code-execution portion of the vulnerability, it is required to have a user authenticate to the Spooler service on the target system. Considering it is common to have the Spooler service enabled on most Windows systems in a standard domain environment, this vulnerability is very dangerous and can allow an attacker to easily gain remote code execution through the Windows environment with a single set of credentials.”
Microsoft updated its advisory to note the potential for RCE, but didn’t update the CVSS rating, despite noting that exploitation would require “low complexity.” For their part, researchers are treating PrintNightmare as having “critical” status.
“It’s interesting to note Microsoft did not change the CVSS rating when they revised their advisory to indicate this could lead to remote code execution,” Childs said, adding that the bug is now “quite severe.” He added, “I would treat this as a critical-rated bug.”
“Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain,” Tillis noted.
The team at Sangfor (researchers Zhiniang Peng and Xuefeng Li) said in their GitHub posting (the copied version is here) that in the domain controller (DC) environment, the Print Spooler service is normally enabled, so the compromise of any DC user could likely result in RCE.
More Print Spooler Bugs and Exploits Coming Soon
They also claimed to have found “more hidden bombs” in Print Spooler, which they plan to unveil at Black Hat in August.
“Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets,” Tillis noted in the Tenable writeup on Tuesday. “Most notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. More recently, CVE-2020-1337 was a zero-day in print spooler disclosed at last year’s Black Hat and DEF CON events, which happened to be a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.”
“Since the proof-of-concept code has leaked online in various locations, expect this but to be wrapped up into active exploits soon,” Childs said. “This threat will likely increase after Black Hat when researchers present their findings on the bugs.”
The patch may not be completely effective, but there are mitigations, such as taking Print Spooler offline. And, “it should be noted that most endpoints will be safe from this attack with the built-in Windows Firewall default rules,” Sandbu said.
Schrader added that users should regularly check for system integrity and control changes.
“As the vulnerability gives an attacker full control related to confidentiality, integrity and availability, users should also be cautious about their sensitive data,” he said.
This article was updated at 3 p.m. ET on June 30 with additional input from security researchers.