Instructions on how to exploit Windows Print Spooler accidentally leaked after research blunder


Keumars Afifi-Sabet

2 Jul, 2021

Cyber criminals are abusing a severe Windows vulnerability just days after a security company inadvertently published a proof-of-concept (PoC) exploitation for this previously undisclosed flaw.

The vulnerability, nicknamed PrintNightmare, concerns the Print Spooler component in all Windows devices. It’s being tracked as CVE-2021-34527, and lets attackers install programmes, view, change or delete data, or create new accounts with full privileges on targeted devices.

Microsoft had initially fixed a flaw in the Print Spooler component on 8 June as part of its Patch Tuesday round of updates. At the time this was deemed a privilege escalation flaw and was tracked as CVE-2021-1675.

The firm then upgraded the severity of the bug from just privilege escalation to remote code execution on 21 June.

At the same time, researchers with the security firm Sangfor had been conducting their own research into Print Spooler vulnerabilities, which they were preparing to discuss at the forthcoming Black Hat cyber security conference in August.

Seeing that Microsoft had upgraded the bug’s severity, the researchers assumed that it was the same flaw they had been working with and decided to publish the proof of concept for the exploit ahead of the conference, safe in the knowledge that it had been patched.

This remote code execution exploit, however, was for an entirely different Print Spooler weakness that hadn’t been previously disclosed by Microsoft, and used a different attack vector.

Once this was established, the researchers quickly took down their work, but not before the exploit code was downloaded and republished elsewhere.

Microsoft has since warned businesses that hackers have seized upon this blunder and are targeting businesses with the flaw now known as CVE-2021-34527. Since it’s an evolving situation, Microsoft hasn’t yet attached a threat severity score to the bug.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft wrote in a security advisory.

“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.”

Until a patch becomes available, Microsoft has recommended that businesses either disable the Print Spooler service or disable inbound remote printing through their group policy.

The first mitigation would disable the ability to print locally or remotely, while the second workaround blocks the remote attack vector by preventing inbound remote printing operations. Local printing, however, will still be possible.