CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability

Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available.

Background

At the end of June, two different research teams published information about CVE-2021-1675, a remote code execution (RCE) vulnerability in the Windows Print Spooler that has been named PrintNightmare.

When it was originally disclosed in the June Patch Tuesday update, it was described as a low severity elevation of privilege vulnerability. That designation was updated on June 21 to indicate a critical severity and the potential for RCE. Discovery was credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab.

On June 27, the research team at QiAnXin tweeted a GIF demonstrating successful exploitation of CVE-2021-1675 to gain RCE without any technical details or proof-of-concept (PoC) code.

Recently, we found right approaches to exploit #CVE-2021-1675 successfully, both #LPE and #RCE. It is interesting that the vulnerability was classified into #LPE only by Microsoft, however, it was changed into Remote Code Execution recently.https://t.co/PQO3B12hoE pic.twitter.com/kbYknK9fBw

— RedDrip Team (@RedDrip7) June 28, 2021

On June 29, researchers at a different firm, Sangfor, published a full technical write-up with PoC code to GitHub. That repository, however, was taken down after only a few hours. It is unclear if the researchers decided to share their PoC because of the tweet from QiAnXin. The researchers claim to have discovered this vulnerability independently from those credited with the disclosure by Microsoft.

We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ

— zhiniang peng (@edwardzpeng) June 29, 2021

While they did not explicitly confirm the reason for removal of the PoC, it appears the researchers were concerned about giving too much information away publicly before their upcoming Black Hat USA presentation on this vulnerability.

Unfortunately, the GitHub repository was publicly available long enough for others to clone it. The PoC is likely still circulating and is likely to resurface publicly, if it hasn’t already done so.

Analysis

Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.

Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets. Most notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. More recently, CVE-2020-1337 was a zero-day in print spooler disclosed at last year’s Black Hat and DEF CON events, which happened to be a patch bypass for CVE-2020-1048, another Windows Print Spooler vulnerability that was patched in May 2020.

Solution

CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.