The Origin Story:
“PrintNightmare” is a recently discovered vulnerability in the Print Spooler Windows service. A.K.A. a Remote Code Execution (RCE) vulnerability capable of being used to attack any Server or Workstation with the Print Spooler service enabled. A service that is enabled by default on all Windows machines,
Since this vulnerability essentially enables any user/person on the internal network to fully compromise the domain by exploiting a domain controller, it has rapidly escalated to critical status, and requires an immediate response from organizations. It took Microsoft about 10 days to release security patches for all Windows versions against this vulnerability; and these patches are effective under certain circumstances which I will cover later.
Supposedly after revealing the vulnerability details to Microsoft nearly a year ago and believing it had since been resolved, security researchers Zhipeng Huo, Piotr Madej and Yunhai Zhang, decided to publish their work, including a proof-of-concept (PoC). They went on to share their findings on the vulnerability, indicating that it was CVE-2021-1675.
There are questions as to how this happened. Microsoft addressed a Print Spooler vulnerability assigned with CVE-2021-1675 as part of the June 2021 security updates. Initially it was classified as a low severity vulnerability allowing Local Privilege Escalation (LPE). Then on June 21st, Microsoft changed the classification after it was discovered that the flaw allows (RCE) as well.
Unfortunately we now know the vulnerability exploited by the PoC was not, CVE-2021-1675. The PoC was found to be effective against servers patched with June 2021 updates under certain circumstances, including domain controllers running with default configurations. Although the researchers deleted their PoC from GitHub, it had already been forked and lead to many more public PoCs. This led to it being included in tools like the well-known Mimikatz tool.
Microsoft assigned a new ID of CVE-2021-34527 to the vulnerability on July 1st with the statement that though it was similar to CVE-2021-1675 it was actually another vulnerability in the same Print Spooler API call.
Microsoft released an out-of-band security update on July 6th, to address CVE-2021-34527 for some of the Windows versions (2019, 2012 R2, 2008 R2, 2008, 10 of version 1703 and above, 8.1, 7), and on July 8th for the remaining versions as well (2016, 2012, Windows 10 version 1607).
Then it was discovered that this patch does not provide complete protection either. When a certain non-default configuration is set the patch can be bypassed to gain both RCE and LPE.
The Vulnerability Itself:
The RCE vulnerability is within the RpcAddPrinterDriverEx call, part of the MS-RPRN protocol (Print System Remote Protocol) and allows remote driver installation by users with the SeLoadDriverPrivilege right. This right is granted by default only for members of the Administrators or Print Operators group.
Unfortunately, RpcAddPrinterDriverEx has a logical bug that allows users who are not part of the Administrators or Print Operators groups to bypass authorization and load drivers to the remote system. By manipulating two of the parameters used by RpcAddPrinterDriverEx, a remote unprivileged user could specify their own driver DLL be installed. Said driver could, for example, create an administrative account on the victim server, or deploy malware.
On July 3rd, a security researcher known by the nickname cube0x0 tweated that he was able to exploit the MS-PAR protocol (Print System Asynchronous Remote Protocol) too, using the RpcAsyncAddPrinterDriver call which is similar to RpcAddPrinterDriverEx and also allows loading drivers remotely to the target machine.
Although both the MS-RPRN and MS-PAR protocols are vulnerable to this exploit, MS-PAR requires less constrains for the exploitation to be successful.
To exploit the PrintNightmare vulnerability using the MS-PAR protocol, the attacker will need:
Print Spooler service running on the target machine and allowing remote connections (enabled by default).
Username and password of any user in the domain.
A network share that will be accessible from the attacked server (to store the DLL).
To exploit the vulnerability against the MS-RPRN protocol, there are additional constrains to be met (one of them is enough):
On domain Controllers, the user must be member of the built-in group “Pre-Windows 2000 Compatible Access”. By default, the group contains “Authenticated Users”.
The Point and Print warnings on install and update should be disabled, to not require elevation on printer driver installation. This is not the default configuration of Windows, as by default Point and Print warnings are enabled.
The UAC should be turned off and do not enforce “Admin Approval Mode”. This is not the default configuration of Windows, as by default UAC is enabled and enforcing Admin Approval Mode.
The Mitigation Path:
In most cases, vulnerabilities such as this one would be safely mitigated by security patches. That wasn’t the case here, possibly due to the legacy nature of the Print Spooler service and the complexity of Windows RPC APIs.
On July 6th, an out-of-band security patch for CVE-2021-34527 was released by Microsoft. This patch protects against MS-RPRN and MS-PAR RCE exploits and covers CVE-2021-1675 vectors as well. However, few gaps exist in this patch as well:
At first, it was not applicable to Windows Server 2019, Server 2016, and Windows 10 version 1607. This was resolved on July 8th, when patches for the remaining versions were published.
In cases where Point & Print warnings are disabled, the patch doesn’t properly mitigate RCE. This behavior occurs since after installing the patch, Spooler blocks injected DLL files with a network path of the format \\<server>\<share>; however, it doesn’t block DLL files of the alternative format “\??\UNC\<server>\<share>”. Mimikatz had already implemented a native functionality to make use of this format and bypass the patch restrictions.
It is still highly recommended to install the latest Windows patches on all versions to significantly reduce the attack vector, and also to keep track of any newly published security patches.
Based on understanding of the attack process and modeling of the attack in several environments, the following is recommended to mitigate the attack, focusing on domain controllers first, and proceeding with member servers and workstations. If the environment permits, implement all the methods to achieve in-depth defense and ensure greater security coverage against all the Print Spooler related risks.
Method 1: Install latest CVE-2021-34527 security updates
Install the latest security patches released by Microsoft on July 6th and July 8th (KB5004947) to protect against “PrintNightmare” RCE and LPE exploits on domain controllers and member servers, as long as “Print and Point” warnings on install are not disabled. This patch was released in an out-of-band manner, separate from the standard monthly cycle. As per Microsoft, after installing these updates non-administrators should be allowed to install signed print drivers to a print server, thereby blocking the ability of installing malicious code.
For more information, see Microsoft guidance:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
The update also offers the ability to prevent non-administrators from installing any print drivers on a print server, including signed drivers, by configuring the “RestrictDriverInstallationToAdministrators” registry value. In case that this setting is hardened, the exploit will fail to execute regardless of Point and Print restrictions. It is recommend to implement this measure as well, but not necessarily as an immediate action.
For information on this option, see:
Method 2: Disable Print Spooler service
(For domain controllers & non-print servers)
Disabling the Print Spooler service will mitigate the PrintNightmare vulnerability, as well as any other risks related to the service. It is highly recommend to apply a GPO that will enforce the Print Spooler service to be disabled on existing and newly created machines that do not require printing functionality.
This can be accomplished manually by running the following PowerShell command:
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
Or by the following command line:
net stop spooler && sc config spooler start=disabled
Potential consequences of using this method:
A machine with the Print Spooler service disabled will not be able to process any printing jobs. So, make sure you only apply this on servers that do not require this capability, including domain controllers, and avoid applying on workstations.
On domain controllers taking these actions will disable printer pruning. This functionality automatically removes printer objects from Active Directory that are no longer available. According to Microsoft, in cases where this functionality is required, it can be replaced by a PowerShell script which will be run periodically.
Method 3: Disable inbound remote printing through Group Policy
(For domain controllers, non-print servers and workstations)
For machines that need the ability to print locally or through a shared printer, where the Print Spooler cannot be disabled, you can instead disable inbound remote printing and shutdown the print server functionality within the Print Spooler service and prevent RCE risks. To ensure in-depth protection, it is recommended to apply this measure on other machines as well. Local Privilege Escalation (LPE) exploits are still applicable when inbound remote printing is disabled, dependent on the specific configuration of Point and Print warnings and UAC. This configuration can also be applied using GPO, and can be found at:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
Potential consequences of using this method:
When the policy is disabled, the Spooler service will not accept client connections nor allow users to share printers. It will not impact printing capabilities with local or remote shared printers and all printers currently shared will continue to be shared.
Method 4: Ensure Point and Print installation prompts are enabled
Point and Print is a term that refers to the capability of allowing a user on a Windows client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.
By default, when the user installs drivers using the Point and Print mechanism, an UAC elevation warning is shown and the user is required to approve the action. In cases where this warning is disabled, a few exploitation avenues are possible, including RCE on machines patched with the CVE-2021-34527 update that are not hardened with methods 2 or 3.
Since methods 2 and 3 are not applicable for print servers, this method is essential in protecting them.
Consequences of this method:
By applying these security settings, you enforce the user to approve driver installation within a popup window.
Method 5: Block inbound connectivity using firewall
Although this method is difficult to implement and requires the effort of mapping the required connectivity within your network, it is one of the most beneficial methods to protect your assets against any attack and not only from “PrintNightmare”.
Summary
Start with protecting your domain controllers, then proceed with member servers and workstations.
To cover all exploitation avenues while ensuring defense-in-depth, it is recommended that the following actions be taken:
- Implement Method 1 – make sure to patch your environment with the latest CVE-2021-34527 security updates and keep track of future patches. This will mitigate “PrintNightmare” as long as Method 4 is followed as well.
- Implement Method 2 – disable the Print Spooler service on domain controllers and non-print servers. This will mitigate all the Spooler attack vectors on the applied machines.
- Implement Method 3 – disable the print server functionality on domain controllers, non-print servers and workstations. This will mitigate all RCE attack vectors on the applied machines.
- Implement Method 4 – ensure that installation of print drivers without elevation prompt is not allowed on all endpoints. This is required to ensure patch effectiveness and is currently the only method to fully protect print servers with the July 6th/8th patches installed.
Hunt for indicators of compromise to detect any potential exploitation in your network.
Detecting “PrintNightmare”:
There are serval to look for whenhunting the “PrintNightmare” exploitation, either by using the Windows built-in Event Log mechanism or other tool’s like Lansweeper, etc.
Windows Event Logs:
Windows Event Logs record system, security and application notifications created by the Windows operating system. Several logs record events related to the Print Spooler activity. However, these logs are not activated by default and needs to be configured either by PowerShell or Windows Group Policy. The relevant event logs are:
Microsoft-Windows-PrintService/Admin
Microsoft-Windows-PrintService/Operational
Event IDs of interest include:
Microsoft-Windows-PrintService/Operational, EID 316: the event records the name of the added printer driver and the DLLs it uses. This event will be logged both on successful and unsuccessful attempts to exploit “PrintNightmare”.
Microsoft-Windows-PrintService/Operational, EID 811: records information regarding failed operations. This event will provide information about the full path of the loaded DLL.
Microsoft-Windows-PrintService/Admin EID 808, in combination with Microsoft-Windows-SMBClient/Security EID 31017 can be used to detect unsigned drivers loaded by spoolsv.exe.
Advanced Hunting:
Several independent researchers and commercial companies have released queries that can be utilized to perform threat hunting and identify “PrintNightmare” exploitation:
Tool IOC: If the adversaries are using the tool Mimikatz to perform the attack, a print driver named ‘QMS 810’ will be created. This can be identified by EDR logging changes to the registry (e.g., Sysmon EID 13).
Search for the process spoolsv.exe launching rundll32.exe as a child process with an empty command line.
Search for creation of suspicious DLL files spawned in the %WINDIR%\system32\spool\drivers\x64\3\ folder along with DLLs that were loaded afterwards from %WINDIR%\system32\spool\drivers\x64\3\Old\.
Look for suspicious Spoolsv.exe child processes (e.g., cmd.exe, powershell.exe etc.).
Monitor for creation of suspicious files in the %WINDIR%\system32\spool\drivers\x64\ folder.
Analyze failed attempts to install new print drivers. For example, search the message “The print spooler failed to load a plug-in module” in Microsoft-Windows-PrintService/Admin EID 808. This can be correlated with Microsoft-Windows-SMBClient/Security EID 31017, which may log insecure guest access errors (since Guest access is blocked by default on systems like Windows Server 2019).
Hunt for DLLs which are part of the PoC codes that were made public: ‘MyExploit.dll’, ‘evil.dll’, ‘\addCube.dll’, ‘\rev.dll’, ‘\rev2.dll’, ‘\main64.dll’, ‘\mimilib.dll’. If you identify one of them in EID 808, in Sysmon logs or in you EDR solution, it is a strong indication of an exploitation attempt.
Microsoft provides the above-mentioned queries for Microsoft 365 Defender in the following link:
Splunk is offering similar queries and have integrated them into Spunk Security Essentials. Their queries are based on Sysmon and they can be found in the following link: