#PrintNightmare (CVE-2021-1675 | CVE-2021-34527).info
What is PrintNightmare?
In short, PrintNightmare is the name given to a bug in the Windows Print Spooler service that allows Remote Code Execution (RCE) by abusing of the RpcAddPrinterDriver() function. This was originally given CVE-2021-1675 but is now CVE-2021-34527…some confusion there?!
Some resources I have gathered about this sweet bug:
- https://doublepulsar.com/zero-day-for-every-supported-windows-os-version-in-the-wild-printnightmare-b3fdb82f840c
- https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes/
- https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution
- https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/
PoC
Fork of the original post, which was deleted due to the impact: https://github.com/afwu/PrintNightmare
C++ PoC: https://github.com/afwu/PrintNightmare/blob/main/EXP/POC/POC.cpp
Exploit in python: https://github.com/cube0x0/CVE-2021-1675
Video of the PoC by Huntress Labs:
Mimikatz PrintNighmare Functionality
As of 20210705, Benjamin Delpy (@gentilkiwi) released a version of mimikatz with built-in PrintNightmare exploit functionality: mimikatz 2.2.0-20210705
ItWasAllADream - PrintNightmare RCE Scanner
ItWasAllADream is a tool created by @byt3bl33d3r to scan for the PrintNightmare.
Mitigations…How do we stop this?!
If you are looking for mitigations until the patch is released, as well as some official info from Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Also another one: ttps://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/