{"id":42241,"date":"2021-07-02T12:25:13","date_gmt":"2021-07-02T12:25:13","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=363f76190b7109707c7f7ed06374ac81"},"modified":"2021-07-02T12:25:13","modified_gmt":"2021-07-02T12:25:13","slug":"instructions-on-how-to-exploit-windows-print-spooler-accidentally-leaked-after-research-blunder","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/instructions-on-how-to-exploit-windows-print-spooler-accidentally-leaked-after-research-blunder\/","title":{"rendered":"Instructions on how to exploit Windows Print Spooler accidentally leaked after research blunder"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
2 Jul, 2021<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

\u200b<\/span>Cyber criminals are abusing a severe Windows vulnerability<\/a>\u00a0just days after a security company inadvertently published a proof-of-concept (PoC) exploitation for this previously undisclosed flaw.<\/p>\n

The vulnerability,\u00a0nicknamed PrintNightmare, concerns the Print Spooler component in all Windows devices. It\u2019s being tracked as CVE-2021-34527, and lets\u00a0attackers install programmes, view, change or delete data, or create new accounts with full privileges\u00a0on targeted devices.<\/p>\n

Microsoft had initially fixed a flaw in\u00a0the Print Spooler component on 8 June as part of its Patch Tuesday<\/a> round of updates. At the time this was deemed a privilege escalation flaw\u00a0and was tracked as CVE-2021-1675.<\/p>\n

The firm then upgraded the severity of the bug from just privilege escalation to remote code execution on 21 June.<\/p>\n

At the same time, researchers with the security firm Sangfor had been conducting their own research into Print Spooler\u00a0vulnerabilities, which they were preparing to discuss at the forthcoming Black Hat cyber security conference<\/a> in August.<\/p>\n

Seeing that Microsoft had upgraded the bug’s severity, the\u00a0researchers assumed that it was the same flaw they had been working with and decided to publish the\u00a0proof of concept for the\u00a0exploit\u00a0ahead of the conference, safe in the knowledge that it had been patched.<\/p>\n

This remote code execution exploit, however, was for an entirely different Print Spooler weakness that hadn\u2019t been previously disclosed by Microsoft, and used\u00a0a different attack vector.<\/p>\n

Once this was established, the researchers quickly took down their work, but not before the exploit code was downloaded and republished elsewhere.<\/p>\n

Microsoft has since warned businesses that hackers have seized upon this blunder and are targeting businesses with the flaw now known as CVE-2021-34527. Since it\u2019s an evolving situation, Microsoft hasn\u2019t yet attached a threat severity score to the bug.<\/p>\n

\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d Microsoft wrote in a security advisory.<\/p>\n

\u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.”<\/p>\n

Until a patch becomes available, Microsoft has recommended that businesses either disable the Print Spooler service\u00a0or disable inbound remote printing through their\u00a0group policy.<\/p>\n

The first mitigation would disable the ability to print locally or remotely, while the second workaround blocks the remote attack vector by preventing inbound remote printing operations. Local printing, however, will still be possible. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

2 Jul, 2021 <\/p>\n

\u200bCyber criminals are abusing a severe Windows vulnerability\u00a0just days after a security company inadvertently published a proof-of-concept (PoC) exploitation for this previously undisclosed…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-42241","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=42241"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42241\/revisions"}],"predecessor-version":[{"id":42242,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/42241\/revisions\/42242"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=42241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=42241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=42241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}