

Whilst originally thought to be a local privilege escalation vulnerability in the Windows Print Spooler, identified as CVE-2021-1675 and patched during Microsoft’s June Patch Tuesday, Microsoft increased the severity of this issue on June 21 as well as reclassifying it as a ‘remote code execution’ (RCE) threat.
To prevent confusion, this RCE vulnerability has been assigned a new identifier, CVE-2021-34527, as well as the CVSS score of ‘8.8’ rather than being linked to the lower CVSS score of ‘7.8’ assigned to CVE-2021-1675.
Following the release of a fix for the initial issue, a group of security researchers publicly released proof-of-concept (PoC) code for what they thought was the same vulnerability.
As it happens, their PoC was in fact for a different threat that, as of July 3, has not been fixed and would allow an authenticated domain user to remotely escalate and gain SYSTEM
privileges on a vulnerable host.
Realizing their mistake, the PoC code was withdrawn although, as is to be expected, it had already been copied and modified leading to multiple examples resurfacing on code sharing repositories as well as undoubtedly falling into the hands of a variety of threat actors.
As such, this vulnerability poses a serious and viable threat to organizations, and individuals, using all currently supported versions of Windows until such time that Microsoft release an update.
Whilst no firm date for a fix has been provided, July’s Patch Tuesday is scheduled for July 12.
Given the unfortunate series of events leading up to this issue, the vulnerability has been dubbed ‘PrintNightmare’.
Having been upgraded from a local elevation of privilege vulnerability to a remote code execution (RCE) threat, exploitation requires the threat actor to have access to a domain-connected user account within the target network, be that a malicious insider or compromised account.
Subsequently, a threat actor utilizing their own exploit, or using/modifying the proof-of-concept (PoC) code, with both an executable [1] and Python-based [2] version being available on GitHub, would be able to escalate the privileges of their domain user account and gain SYSTEM
privileges on any targeted vulnerable host.
Those looking to exploit this vulnerability would likely perform an initial scan of the victim network, with one PoC suggesting the use of rpcdump.py
, a script from SecureAuth’s ‘Impacket’ project [3], to locate hosts responding to the Microsoft Print System Remote Protocol (MS-RPRN).
Having found a vulnerable print server, the threat actor can use an authenticated user account to execute code that calls the RpcAddPrinterDriverEx()
function, typically used to install printer drivers, and then presumably load a malicious dynamic link library (DLL) that exploits the vulnerability.
Whilst CVE-2021-1675 also addressed a flaw in this printer driver function, Microsoft state that this vulnerability is ‘similar but distinct’ as well as having a different attack vector.
Concerningly, Microsoft report that ‘all versions of Windows’ are affected, across multiple architectures and releases, with the following being explicitly listed:
Although not mentioned, it is likely that unsupported versions of Windows are also vulnerable and these will presumably not be patched by Microsoft.
Also worthy of mention, RCE vulnerabilities are often utilized by big-game hunter ransomware groups, amongst other threat actors, to elevate their privileges after compromising a standard user account.
Exploitation attempts may generate Event Log entries within:
Event Viewer
>Applications and Services Logs
>Microsoft
>Windows
>PrintService
>Admin
Specifically event ID ‘808’, ‘The print spooler failed to load a plug-in module’, should log the name of any nefarious dynamic-link library (DLL) that attempts to load as part of the exploit process.
Whilst the name of this DLL may differ, and it would be trivial for the threat actor to change it, the following examples have been observed in PoC code:
addCube.dll
evil.dll
main64.dll
mimilib.dll
MyExploit.dll
rev.dll
rev2.dll
Given the use of the use of the RpcAddPrinterDriverEx()
function, dynamic-link library (DLL) files delivered during exploitation may be found in the spool folder, %SYSTEMROOT%spooldrivers
.
As such, this folder should be reviewed and/or monitored to identify potential indicators of compromise.
Monitoring the spool service, spoolsv.exe
, may lead to the identification of suspicious executions such as rundll32.exe
being spawned to load a malicious DLL and/or Windows utilities being executed as part of some privilege escalation or nefarious information gathering process.
Those using Microsoft 365 Defender, or similar tools, can take advantage of Microsoft’s predefined queries, as shared on GitHub [4], to hunt for these suspicious processes.
spoolsv.exe
process.[2] https://github.com/cube0x0/CVE-2021-1675
[3] https://github.com/SecureAuthCorp/impacket
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527