Windows printer spooler is a basic service, which by default runs on Microsoft Windows environments, including client machines, servers and active directories. The vulnerability is that the service fails to restrict access to basic print functionalities that are part of this service. Exploiting this vulnerability allows an attacker to execute arbitrary code with SYSTEM privileges.
Windows Print Spooler has a long history of vulnerabilities, most notably, Print Spooler vulnerabilities were tied to the Stuxnet attacks over a decade ago. This commonly available nature of the service allows for a serious impact on targets.
In the CVSS (Common Vulnerability Scoring System) vulnerability website score, the vulnerability has a score of 8.8
Details of the vulnerability
An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server, which results in the Print Spooler service “spoolsv.exe” executing code in an arbitrary DLL file with SYSTEM privileges.
If a user is compromised with a phishing attack, the attacker can use the compromised computer to exploit this vulnerability by pointing to a malicious file and the attacker can successfully install malicious drivers on the server, using SYSTEM privileges. The exploits achieve two main functions, 1) remote code execution 2) privilege escalation and by doing so have complete control over the entire domain environment in the due process.
Vulnerability Danger Level
There are two important reasons why “CVE-2021-1675” is considered highly dangerous. 1) The ubiquity of the vulnerability and 2) the fact that the vulnerability has not been properly addressed, despite release of patches. It is reported that the patch released by Microsoft is not fully efficient in resolving this vulnerability from being exploited.
If the Windows system used by the user contains the above versions, the user is likely to be attacked by this vulnerability
How Hackers Exploit Vulnerabilities
1. Domain Admin: Hackers can gain access to the system through a domain admin, so that they can take full control of the network.
2. Credential stuffing: Sensitive accounts in the system (such as bank accounts, etc.) can be brute-forced when attackers use domain passwords.
3. Deploying malware: Any user on the network can be harmed when hackers use malware (such as keyloggers).
1. Users can update relevant Windows security patches.
2. In addition to the security patches, users can disable the Print Spooler service in services.msc.
3. The user sets “inaccessible” in Group Policy when the system receives a shared folder that does not require authentication.
CVE-2021-1675 bypasses user permission checks and can add printer drivers with low user permissions. Since RPC executes the printer to add a driver to the system, this vulnerability can also be called an RCE vulnerability. However, the conditions for realizing this vulnerability are harsh, and at least ordinary users of domain controllers are required in the system. And this user also needs to have a shared directory.
If you want to go a step further and want to reproduce the vulnerability
Disclaimer: The below details are for educational purposes only. If you are interested in learning more about this vulnerability, use a test system and do not attempt any of the below in production systems.
First, use the windows “control panel” to see if the “print spooler” is open.
Download the CVE-2021-1675 exploit after boot and run it on Desktop
Now the username is “Carson”, but we don’t know the username of the admin. After running the exploit and looking at it, you can see that a user named “adm1n” appears in the user group and its password is “P@ssw0rd”.
Now we try to switch the user “adm1n” and enter the command “net local group” to see what the permissions of the user “adm1n” are. From the results, we can see that the authority of “adm1n” belongs to “Administrator”. This is a terrible bug. An attacker only needs to have a low-privileged user and run this vulnerability on the system to directly obtain an “administrator” account.
The exploitation principle of this vulnerability (CVE-2021-1675) is to upload the malicious driver to the system through the “RpcAddPrinterDriverEx” function, and then the attacker can use the system privilege to load the malicious driver.
1.Change the third parameter “dwFileCopyFlags” of “RpcAddPrinterDriverEx” to “APD_INSTALL_WARNED_DRIVER”. The user can ignore the system warning to install the printer driver in the system.
2. Set the flag in “ValidateDriverInfo” to “APD_INSTALL_WARNED_DRIVER” to escape the check.
3. If the user wants to skip the spool directory check, he can set APD_COPY_FROM_DIRECTORY (0x10) in FileCopyFlags.