PoC exploit accidentally leaks for dangerous Windows PrintNightmare bug

Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems.

Tracked as CVE-2021-1675, the vulnerability was patched earlier this month in the Microsoft June 2021 Patch Tuesday security updates.

The vulnerability impacts Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows OS, applications, and local or networked printers, allowing app developers to easily initiate print jobs.

The service has been included in Windows since the 90s and is one of the operating system’s most buggy processes, with many vulnerabilities being discovered across the years, including bugs such as PrintDemonFaxHellEvil PrinterCVE-2020-1337, and even some of the zero-days used in the Stuxnet attacks.

CVE-2021-1675, the latest in this long line of Print Spooler bugs, and was initially discovered by security researchers from Tencent Security, AFINE, and NSFOCUS earlier this year.

The bug was initially categorized as a low-importance elevation-of-privilege vulnerability that allowed attackers to gain admin privileges, but last week, Microsoft updated the bug’s description to classify CVE-2021-1675 as a remote code execution issue that could be remotely exploited to allow attackers to take full control of unpatched Windows systems.

Initially, no technical write-up or proof-of-concept code was published for CVE-2021-1675, meaning that attackers who wanted to abuse this bug had to investigate the patch code themselves and create an exploit if they wanted to integrate this bug in their attacks.

Last week, Chinese security firm QiAnXin published a low-quality GIF showing an exploit for the CVE-2021-1675 bug for the first time, but the company did not release any technical details or a working PoC in order to allow users more time to apply this month’s security updates and safeguard their systems.

However, in what looks to have been an accident, an in-depth technical write-up and a fully working PoC exploit were shared on GitHub earlier today.

The GitHub repo has been taken offline after a few hours, but not before it was cloned by several other users.

Authored by three analysts from Chinese security firm Sangfor, the write-up, which we will not link here, details how the trio discovered the bug independently from the teams who reported the vulnerability to Microsoft.

“We also found this bug before and hoped to keep it secret to participate in the Tianfu Cup [hacking contest],” the team said today [quote lightly redacted for readability].

The researchers said that since QiAnXin published a video of the CVE-2021-1675 exploit, they decided to publish their full write-up and PoC as a result.

However, the team went back on their decision a few hours later after realizing they were giving away the entire details of a talk they had scheduled for the Black Hat USA 2021 security conference later this year.

The team pulled the GitHub repo, but by that time, the CVE-2021-1675 exploit and write-up had already been cloned.

As seen by The Record, the write-up and the PoC are now being shared in closed infosec communities and are expected to leak back into the public domain again in the coming days.

Since the CVE-2021-1675 vulnerability, which the Sangfor team codenamed PrintNightmare, has been revised by Microsoft into an RCE attack vector, and PoC exploit code is now in the public domain, companies are advised to update their Windows fleets as soon as possible.

Of note is that the vulnerability impacts all Windows OS versions available today and might even affect deprecated Windows versions such as XP and Vista.

Since Print Spooler bugs have been abused in attacks in the past, the chances are pretty high that this bug would be abused as well, especially since it’s an RCE, a vulnerability class prized by most attackers.

In preparation for possible future abuses, Florian Roth of Nextron Systems has released Sigma rules to detect PrintNightmare exploitation.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.


Source: Recorded Future

Leave a Reply