Hunting PrintNightmare, the zero-day hole in Windows CVE-2021-1675

summary 

Critical RCE Vulnerability Allows Regular Users to Fully Compromise Active Directory,
This vulnerability can provide full domain access to a domain controller under a SYSTEM context & it requires that you authenticate as a domain user & Windows Print Spooler service that is by default running on all Windows servers and clients,

The bug was initially documented by Microsoft as opening up an EoP (elevation of privilege) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to to Windows 10 and from Server 2008 to Server 2019 .

Print Spooler bug supposed to be fixed in the Microsoft June 2020 Patch update ,
But on 21 June 2021, Microsoft upgraded the CVE-2021-1675 security update page to admit that the bug could be used for RCE (remote code execution) as well,

 making it a more serious vulnerability known as "Print Nightmare"

 and there’s no official patch yet

MITRE Ref 

Exploitation of Remote Services (T1210)

Hunting 

vulnerability exists in the "RpcAddPrinterDriver" call of the Windows Print Spooler.

• print service logs
• we notice Event ID "316" including malicious dll file in the following msg 
  "Printer driver 1234 for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, kernelbase.dll, malicious_dll.dll. No user action is required."

• suspicious logon from Normal User to AD
• let's focus on successful logon attempts from non Admin Users on the AD

• newly created files on spool directory   
• looking for any suspicious dll files executed under print Spooler Dir    "C:\Windows\System32\spool\drivers\" with SYSTEM context

• native PowerShell

Exploitation POCs

https://webcache.googleusercontent.com/search?q=cache:G8XnfSbgARAJ:https://github.com/hhlxf/PrintNightmare+&cd=1&hl=en&ct=clnk&gl=u

https://github.com/cube0x0/CVE-2021-1675

https://github.com/afwu/PrintNightmare

Mitigation

• There’s no official patch yet.
• Watch out for a patch and deploy it as soon as you can once it’s out.
• Until then, u can disabling the Print Spooler on vulnerable computers is a satisfactory workaround.


• Windows cmd:

• net stop spooler

• PowerShell:
• Stop-Service -Name Spooler -Force
  

By:Mohamed Ghifary

Reference:

https://www.cvedetails.com/cve/CVE-2021-1675/

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675

https://github.com/cube0x0/CVE-2021-1675

https://cve.reconshell.com/cve/CVE-2021-1675

https://twitter.com/edwardzpeng/status/1409810304091889669

https://securityaffairs.co/wordpress/119502/hacking/2021-1675-rce-poc.html