A PoC exploit for the dangerous PrintNightmare vulnerability in Windows Print Spooler (spoolsv.exe) has been published online. This bug has ID CVE-2021-1675 and was patched by Microsoft just a couple of weeks ago, as part of June’s Patch Tuesday.
Windows Print Spooler Service is a universal interface between OS, applications, and local or network printers, allowing application developers to submit print jobs. This service has been included with Windows since the 90s and is notorious for its myriad of problems.
In particular, vulnerabilities such as PrintDemon, FaxHell, Evil Printer, CVE-2020-1337 and even a number of 0-day bugs were associated with Windows Print Spooler, which were used in Stuxnet attacks.
The newest problem CVE-2021-1675 was discovered by experts from Tencent Security, AFINE and NSFOCUS earlier this year.
However, Microsoft updated the bug description last week to report that the issue can cause remote arbitrary code execution.
Previously, almost nothing was known about CVE-2021-1675, since experts did not publish technical descriptions of the problem or exploits for it. But last week, the Chinese company QiAnXin showed a GIF file where it demonstrated the operation of its exploit for CVE-2021-1675. At the same time, the company did not publish any technical details and the exploit itself, in order to give users more time to install patches.
However, a detailed report with a technical description of the problem has now been posted on GitHub, as well as a working PoC exploit. It looks like it was due to someone else’s error and the repository was shut down after a few hours. However, even in this short time, several other users managed to clone it.
This leaked document, written by three analysts of the Chinese company Sangfor, provides details how the experts discovered the error independently of the aforementioned experts.
Additionally, the experts explained that after QiAnXin published a demo of their exploit, they thought it was time to publish their report and PoC.
However, a few hours after this statement, the team retracted their words (it seems that the experts decided not to disclose all the details of their speech, scheduled at the Black Hat USA 2021 conference) and deleted the repository from GitHub. But it was too late, the PoC exploit became public.
Since CVE-2021-1675, which Sangfor calls PrintNightmare, affects all versions of Windows and can even affect XP and Vista when used for remote code execution, companies are strongly encouraged to update their fleet of Windows machines as soon as possible.
Let me remind you that I also talked about Microsoft fixes a bug that corrupted FLAC files.