Exploitable Critical RCE Vulnerability Allows Regular Users to Fully Compromise Active Directory – PrintNightmare CVE-2021-1675 CVE-2021-34527

PrintNightmare (CVE-2021-1675) is a vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This is by default running on all Windows servers and clients, including domain controllers, in an Active Directory environment. EDIT: Microsoft has assigned a different CVE to PrintNightmare: CVE-2021-34527.

In practice, this means that an attacker with a regular domain account can take over the entire Active Directory in a simple step. For example, if a user is compromised with a phishing attack, a threat actor can use the compromised computer to easily take over Active Directory in a matter of seconds (this can also be fully automated).

A proof-of-concept (PoC) exploit was recently published (and quickly removed). Although deleted, the GitHub repository had already been cloned.

The main issue is that although CVE-2021-1675 was supposed to be patched on June 8th according to Microsoft, and therefore the recommendation has been to simply update your systems, the PrintNightmare exploit still works on a fully patched domain controller.

We have verified this by running the exploit against a fully patched domain controller running Windows Server 2019 (we have not tested other versions yet), over the network, using a regular domain account.

PrintNightmare CVE-2021-1675 KB5003646
Target Domain Controller, fully patched including KB5003646
PrintNightmare CVE-2021-1675 localspl.dll
Version of the patched Print Spooler DLL

We have tested one of the exploits available on GitHub using a regular domain account, to deliver a PoC DLL that would simply output the current username to a file in C:\poc.txt

PrintNightmare CVE-2021-1675 user
Regular domain account used for the PoC
PrintNightmare CVE-2021-1675 exploit
Exploiting PrintNightmare CVE-2021-1675
PrintNightmare CVE-2021-1675
Successful exploitation of PrintNightmare CVE-2021-1675 confirming SYSTEM privileges on a fully patched Windows Server 2019 domain controller

Recommendations

NOTE: scroll down for updated recommendations.

Remote attackers with access to a user capable of authenticating to the spooler service can gain full control of any system running the print spooler service by exploiting CVE-2021-1675 / CVE-2021-34527.

Due to the nature of the exposure, all systems (especially domain controllers) need to have the Print Spooler service disabled until a working patch is available and installed. NOTE: the service should be disabled, not stopped. If it is only stopped, it may be triggered to start again.

Even without this vulnerability, the recommendation has been to avoid running the print spooler service on any domain controller, as it can be used to elevate privileges to a domain controller computer account when a threat actor has access to a user with unconstrained delegation.

Disallow client connections

Disabling the Print Spooler service on clients will impact the clients’ general ability to print to any printer. An alternative workaround to disabling the service is to configure it to not accept client connections. This will effectively limit the access to the local machine preventing the remote exploitation of PrintNightmare.

Configure the “Allow Print Spooler to accept client connections” setting locally or using a GPO. The policy is part of the Administrative Templates in the Computer Configuration.

PrintNightmare CVE-2021-1675 workaround GPO
Policy to disallow client connections

Workaround

For systems where the print service is absolutely needed, here we describe a possible workaround to prevent exploitation and keep the servers running until a patch is available.

UPDATE JULY 6th, 2021

Microsoft released an Out-of-Band (OOB) Security Update available for CVE-2021-34527.

The fix includes new features that allow customers to implement stronger protections. See KB5005010 Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Optionally configure the RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server.

Registry locationHKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint Note:  The RestrictDriverInstallationToAdministrators registry setting resides under the PointAndPrint registry location but is specific to protections for CVE-2021-34527 but is not related to point and print behavior.
DWord nameRestrictDriverInstallationToAdministrators
Value dataSetting the value to 0, or leaving the value undefined allows non-administrators to install signed drivers and allows administrators to install signed and unsigned printer drivers to a print server. This is the default value. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server. Note: If this value is set to 0, the registry value is disabled (default or not present).
Restart requirementsNo restart is required when creating or modifying this registry value.

UPDATE JULY 7th, 2021

Benjamin Delpy @gentilkiwi released and updated a version of Mimikatz that demonstrates how to bypass the filtering in the released fix by simply avoiding the \\ characters and denoting a UNC path using \??\UNC\ instead.

It is important to note that (according to @gentilkiwi) the bypass is related to the Point and Print feature!


By Fabio Viggiani

Fabio is the technical lead of Truesec Security Team. He leads advanced Incident Response missions, and has extensive experience in Red Team assignments as well as traditional penetration tests.

He also works closely with Truesec Security Operations Center, focusing on Threat Hunting and detection.

This gives him a strong insight in the current threat landscape and the latest attacks and detection techniques.