Jump to content
Dragos

Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller

Recommended Posts

  • Moderators

An infosec firm accidentally published a proof-of-concept exploit for a critical Windows print spooler vulnerability that can be abused by rogue users to compromise Active Directory domain controllers.

The security hole, tracked as CVE-2021-1675, can be exploited by a low-privileged user to execute code as an administrator on a system running the print spooler service. Initially Microsoft classified it as a local privilege escalation flaw in June's Patch Tuesday run of Windows updates – but on 21 June that classification was upped to describe it as a remote-code execution vuln meaning it can be pulled off over a network.

 

Reclassification was for a good reason: infosec folk realized that by lightly tweaking the proof-of-concept code circulating in the wild, a malicious or compromised domain-authenticated user could execute code at the SYSTEM-level on, say, a domain controller via the vulnerable Windows Print Spooler service running on that box. That's bad news.

 

CVE-2021-1675 is exploitable without any high privileges and results in remote SYSTEM from a regular Domain User's account. The public PoC required little modification (I added ability to select domain) but works more or less out-of-the-box on a Windows 2019 DC. Patch quickly!

— Hacker Fantastic (@hackerfantastic) June 30, 2021
Currently scored at 7.8 on the CVSSv3.1 scale with a "critical" severity rating, CVE-2021-1675 affects Windows Server 2008, Server 2012, Server 2016, Server 2019, Windows RT, and desktop OSes 7, 8, and 10.

 

Informed infosec people on Twitter have suggested sysadmins should disable the Windows print spool service on domain controllers as an immediate mitigation. Some have claimed the Patch Tuesday mitigation doesn't work.

 

Matthew “Hacker Fantastic” Hickey told The Register: "In my opinion this is the most significant incident to happen to Windows enterprise systems this year and people need to prioritize disabling the print spooler service on domain controllers and mission critical servers to prevent exploitation of this issue.

 

He told us the exploit works "on a fully patched and updated (as of yesterday) Windows 2019 domain controller" - as seen on Hickey's posted screenshot of his test system with "the exploit being used".

Fully patched Windows 2019 domain controller, popped with 0day exploit (CVE-2021-1675) from a regular Domain User's account giving full SYSTEM privileges. Disable "Print Spooler" service on servers that do not require it. pic.twitter.com/6SUVQYy5Tl

 

— Hacker Fantastic (@hackerfantastic) June 30, 2021

He added: "It works from any domain user to exploit any network server using print spooler service, which is enabled by default on domain controllers.

 

"Ransomware gangs will be quick to use this in their attacks and previously compromised low-value desktops could be used to take control of the entire Windows estate using this bug to then deliver their malware."

 

Martin Lee, technical lead at Cisco Talos, said: "Exploits such as this underline how important it is to both securely authenticate users and be in a position to identify unusual network activity.

 

"Escalation of privilege vulnerabilities continue to be discovered, meaning that we must ensure that lost or stolen credentials cannot be used on their own to authenticate a user to a domain.

 

"Equally, security teams need to be equipped with the tools that allow the identification and triage of unusual network activity. An unprivileged user uploading a new printer driver to the print server isn't an everyday occurrence and should raise suspicions."

 

Sursa: https://www.theregister.com/2021/06/30/windows_print_spool_vuln_rce/

  • Upvote 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...