Blue Hexagon Blog

Threat Advisory: CVE-2021-1675 aka #PRINTNIGHTMARE

Here’s what you really need to know and do now

With any vulnerability that manages to grab headlines, the two questions you should always ask are: 

  • How hard is it to weaponize, and 
  • Is there a patch available?

When it comes to CVE-2021-1675,  Blue Hexagon labs has verified that a working PoC sample code circulating in the wild is functional as well as contains instructions for scanning for vulnerable hosts and payload delivery. These factors combined with the fact that there is no patch at this moment in time as well as the wide variety of Windows software versions affected brings up serious concerns about the high likelihood for weaponization. 

Details on the vulnerability

CVE-2021-1675 is a Remote Code Execution (RCE) vulnerability in MS Windows Print Spooler which could  allow remote authenticated users to gain privileges via a crafted RPC message. Initially classified as a low risk  elevation-of-privilege,  CVE-2021-1675  is now dubbed as #printnightmare and has been escalated to  remote code execution status. 

Researchers from QiAnXin Technology, a Chinese security vendor published a video on Sunday June 27th showing how this could result in RCE. Separately, work from researchers at Sangfor scheduled to be presented at BlackHat 2021 in August was leaked on GitHub as a POC on June 28th. The Sangfor researchers originally wanted to keep the POC secret to use in the Tianfu Cup (an international cybersecurity contest); but because others started posting about it, it was released. At this point, it is clear that POC code for this exploit will be available and there is even a Python implementation available

A day later, researchers have posted videos combining MimiKatz and #printnightmare to achieve standard user to SYSTEM on a remote domain controller as well as showcased versions of the POC working on a fully patched Windows 2019 domain controller. For some smaller businesses, a single large server may be performing multiple functions including DC and the spooler service will likely be running. 

At this point in time, no threat family has been associated with using this CVE in the wild. However, Blue Hexagon Labs believes that this will most likely be weaponized by actors in Eastern Europe, more specifically by families associated with Crypto Mining with a possibility of some Ransomware authors adopting it as a low hanging fruit.

Technical  Analysis

To understand the root cause of this vulnerability.we need to dig deep into the way that a printer driver is added to the print server.

This function is responsible for adding or updating a printer driver to a print server . According to Microsoft official documentation, the client performs the following steps: 

  1. Enumerate existing printer drivers using RpcEnumPrinterDrivers.
  1. If the printer driver does not already exist or the client requests to update the printer driver, use RpcAddPrinterDriver to add the driver to the print server.
  • The client ensures that the files for the printer driver are in a location accessible to the server. For that purpose, the client can share a local directory containing the files, or use [MS-SMB] to place the files into a directory on the server.
  • The client then allocates and populates a DRIVER_INFO_2 structure as follows:
  • The client allocates a DRIVER_CONTAINER driverContainer structure and initializes it to contain the DRIVER_INFO_2 structure.
  • The client calls RpcAddPrinterDriver.
  • The server adds the printer driver and returns 0 (success).

Reference: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/bc4d1830-8e1f-428a-9073-d655916494cf

The root cause of this vulnerability is located in “localspl.dll” at the function “void __fastcall SplAddPrinterDriverEx”. This function is responsible for adding and validating the printer driver.

Indeed the statement if ( !a7 || (unsigned int)ValidateObjectAccess(0i64, 1i64, 0i64) ) can be validated by forcing the value of “ __int64 a4” which is a user controllable value passed as parameter to the SplAddPrinterDriverEx() , and by bypass ValidateObjectAccess() function check.

What you should do

As there is no patch currently available, disabling the Spooler service service should be considered as a primary option. There are ways to automate such tasks such as using Powershell to disable default spoolers and using Group Policy Preferences.

As a first course of defensive action, we recommend that you take inventory of the number of vulnerable hosts in your enterprise and use an NDR (Network Detection and Response) tool like Blue Hexagon to look for suspicious activity around those IP addresses. Especially around SMB activity involving suspicious payloads such as DLL files and Mimikatz variants. Existing threat actors who have foothold infections in networks may try to move laterally in order to use this exploit so East-West visibility and real time detection with an NDR tool is critical.

Additionally, it is prudent to keep an eye on (especially HTTP transactions) coming into your organization to affected software versions as well as command and control or east-west traffic for suspicious communications or malware since this could turn into a  wormable vulnerability. 

Questions? How to Contact Our Threat Team

If you have any questions or need assistance about this threat and how to bolster your security stack, please contact Blue Hexagon Security Experts by email at inquiries@bluehexagon.ai   or online at https://bluehexagon.ai/contact/ and let us know how we can help and get in touch with you.

PS: This advisory was updated on Jul1, 2021 and Technical Analysis section was added. You may like to bookmark this blog post for future reference as we continue to add further research on this threat.

Additional Resources:

You may like to also read related threat advisories and research:

Threat Advisory: CVE-2021-31166 Windows Remote Code Execution Vulnerability

Deep Dive into the NSA funded MITRE D3FEND Framework

5 Takeaways from the Colonial Pipeline Ransomware Attack

Comments are closed.