A proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Windows Print Spooler and patched by Microsoft earlier this month was briefly published online before being taken down.
Identified as CVE-2021-1675, the security issue could grant remote attackers full control of vulnerable systems. Print Spooler manages the printing process in Windows, including loading the appropriate printer drivers, and scheduling the print job for printing, among others.
Print Spooler flaws are concerning, not least because of the wide attack surface, but also owing to the fact that it runs at the highest privilege level and is capable of dynamically loading third-party binaries.
“Either the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document),” Microsoft said in its advisory.
Although the vulnerability was addressed by the Windows maker as part of its Patch Tuesday update on June 8, 2021, Microsoft on June 21 revised the flaw’s impact from an elevation of privilege to remote code execution (RCE) as well as upgraded the severity level from Important to Critical.
Things took a turn when Chinese security firm QiAnXin earlier this week disclosed it was able to find the “right approaches” to leverage the flaw, thereby demonstrating successful exploitation to achieve RCE.
Although the researchers refrained from sharing additional technical specifics, Hong Kong-based cybersecurity company Sangfor published what’s an independent deep-dive of the same vulnerability, along with a fully working PoC code to GitHub, where it remained publicly accessible before it was taken offline a few hours later.
Sangfor codenamed the vulnerability “PrintNightmare.”
“We deleted the PoC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service,” tweeted Sangfor’s Principal Security Researcher Zhiniang Peng. The findings are expected to be presented at the Black Hat USA conference next month.
Windows Print Spooler has long been a source of security vulnerabilities, with Microsoft fixing at least three issues — CVE-2020-1048, CVE-2020-1300, and CVE-2020-1337 — in the past year alone. Notably, a flaw in the service was also abused to gain remote access and propagate the Stuxnet worm in 2010 targeting Iranian nuclear installations.