Public Windows PrintNightmare 0-day exploit allows domain takeover
Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that allows remote code execution.
Despite the need for authentication, the severity of the issue is critical as threat actors can use it to take over a Windows domain server to easily deploy malware across a company’s network.
The issue affects Windows Print Spooler and because of the long list of bugs impacting this component over the years [1, 2, 3, 4], the researchers named it PrintNightmare.Top ArticlesREAD MOREWindows 11 makes TPM Diagnostics tool its firstoptional feature
Several researchers have tested the leaked PoC exploit on fully patched Windows Server 2019 systems and were able to execute code as SYSTEM.
An accidental leak
Leaking the details for this vulnerability happened by accident, out of a confusion with another issue, CVE-2021-1675, also impacting Print Spooler that Microsoft patched in this month’s rollout of security updates.
Initially, Microsoft classified CVE-2021-1675 as a high-severity, privilege escalation issue but a couple of weeks later changed the rating to critical and the impact to remote code execution, without providing any details.
Credited for reporting CVE-2021-1675 are researchers from three cybersecurity companies (Tencent, AFINE, NSFOCUS) but multiple teams were analyzing Windows Print Spooler.
On June 28, Chinese security vendor QiAnXin announced that they found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution, and published a demo video.
Seeing the exploit video and believing it’s the same issue, another team of researchers from Chinese security company Sangfor, decided to release their technical writeup and a demo exploit, calling the bug PrintNightmare.
However, it turns out that PrintNightmare is not the same as CVE-2021-1675, which received a patch on June 8, but a zero-day vulnerability in Windows Print Spooler in need of a fix.
Mitja Kolsek, CEO of Acros Security and co-founder of micropatching service 0Patch clears the confusion by pointing to the technical details that AFINE researchers released for CVE-2021-1675, which are different from what Sangfor researchers published yesterday.
Confusion aside, PrintNightmare is a serious flaw that needs to be treated accordingly.
Since a patch is yet to come, administrators are strongly advised to stop and disable the spooler service, especially on domain controller systems.
Security consulting company Lares published a repository with detection and remediation information that includes a sample of the PrintNightmare attack and a Sysmon configuration file for telemetry purposes.
Lares also provides details on how to stop and disable the spooler service either from the Group Policy settings or by using a PowerShell script.
This can be done either from the Group Policy settings or by using PowerShell script
Benjamin Delpy, the developer of mimikatz post-exploitation tool for penetration testing, achieved remote code execution with the highest privileges on a fully patched system, too.
While his test was also on a Domain Controller, Delpy said that the same result is achieved “on all systems with RPC to spooler available, remote or local.”
Delpy made a video showing that his test system, running the latest updates, did not stop the PrintNightmare exploit:https://player.vimeo.com/video/569411390
Will Dormann, a vulnerability analyst for CERT/CC confirmed that a remote, authenticated attacker can run code with elevated rights on a machine with the Print Spooler service enabled.
Dormann also confirmed that Microsoft’s June security updates have no effect against the PrintNightmare zero-day vulnerability detailed by the researchers from Sangfor.
The general advice at the moment is to stop and disable the service on Domain Controllers as soon as possible, as the need for authentication is far from a deterrent for an attacker.
Threat actors, ransomware groups in particular, are likely to jump at the occasion to compromise company networks, since getting credentials for limited-privilege domain users is an easy task, security researcherJonas Lykkegård told BleepingComputer.
Credentials for regular users can be just as good for an attacker in environments vulnerable to privilege escalation, and there is a market for this type of data, sustained by info-stealing activities.
On some underground forums, a valid login and password pair for a Windows Remote Desktop server can go for as low as $3 and as high as $70.
One of the largest marketplaces for Windows Remote Desktop logins had a collection of 1.3 million credentials, showing that selling them is a lucrative business.
Sangfor researchers (Zhiniang Peng, XueFeng Li, and Lewis Lee) will talk at Black Hat this year about how they found PrintNightmare and created an exploit for it in a presentation titled Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer.
Update [June 30, 18:45 EST]: Added information about detecting PrintNightmare exploit attempts and disabling the print spooler service to prevent attacks.