Researchers Leak PoC Exploit for a Critical Windows RCE Vulnerability

A proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Windows Print Spooler and patched by Microsoft earlier this month was briefly published online before being taken down.

Identified as CVE-2021-1675, the security issue could grant remote attackers full control of vulnerable systems. Print Spooler manages the printing process in Windows, including loading the appropriate printer drivers and scheduling the print job for printing, among others.

Print Spooler flaws are concerning, not least because of the wide attack surface, but also owing to the fact that it runs at the highest privilege level and is capable of dynamically loading third-party binaries.

The Windows maker addressed the vulnerability as part of its Patch Tuesday update on June 8, 2021. But almost two weeks later, Microsoft revised the flaw’s impact from an elevation of privilege to remote code execution (RCE) as well as upgraded the severity level from Important to Critical.

“Either the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document),” Microsoft said in its advisory.

Things took a turn when Chinese security firm QiAnXin earlier this week disclosed it was able to find the “right approaches” to leverage the flaw, thereby demonstrating a successful exploitation to achieve RCE.

Although the researchers refrained from sharing additional technical specifics, Hong Kong-based cybersecurity company Sangfor published what’s an independent deep-dive of the same vulnerability to GitHub, along with a fully working PoC code, where it remained publicly accessible before it was taken offline a few hours later.

Sangfor codenamed the vulnerability “PrintNightmare.”

“We deleted the PoC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service,” tweeted Sangfor’s Principal Security Researcher Zhiniang Peng. The findings are expected to be presented at the Black Hat USA conference next month.

Windows Print Spooler has long been a source of security vulnerabilities, with Microsoft fixing at least three issues — CVE-2020-1048, CVE-2020-1300, and CVE-2020-1337 — in the past year alone. Notably, a flaw in the service was also abused to gain remote access and propagate the Stuxnet worm in 2010 targeting Iranian nuclear installations.

Update — There are now indications that the fix released by Microsoft for the critical remote code execution vulnerability in the Windows Print spooler service in June does not completely remediate the root cause of the bug, according to the CERT Coordination Center, raising the possibility that it’s a zero-day flaw in need of a patch.

“While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675,” CERT/CC’s Will Dormann said in a vulnerability note published Wednesday.

It’s worth noting that the successful exploitation of CVE-2021-1675 could open the door to complete system takeover by remote adversaries. We have reached out to Microsoft for comment, and we will update the story when we hear back.

In light of the latest disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is recommending that administrators “disable the Windows Print spooler service in Domain Controllers and systems that do not print.”