Recently, a proof-of-concept (PoC) Windows exploit was published on the Internet and taken down soon after. The PoC is related to a RCE (Remote Code Execution) vulnerability found in the Windows Print Spooler service. At the time of writing this post, the vulnerability has already been addressed and patched out by Microsoft.
The security flaw is tracked as CVE-2021-1675, and it can be exploited by hackers to acquire remote control of systems affected by it. The Print Spooler service is responsible for managing the printing process on Windows computers. Its main job is to temporarily store print jobs on the memory of the computer until the printing process begins.
One of the reasons such an attack is a potential reason for concern is the large attack surface that it provides. Another one is the fact that the Print Spooler service runs with on an elevated privilege level and can load third-party code.
According to an advisory released by Microsoft that addresses this problem. There are several ways this attack could be initiated. The hacker can remotely (through Secure Shell Control) or locally (through a keyboard, a console, etc.) access the targeted system, or they can rely on the user interacting with a malicious file, link, etc.
When the flaw was first addressed by Microsoft, it was categorized as an elevation of privilege-type of vulnerability. On June 21st, Microsoft revised the impact of the flaw and changed its classification to the RCE type – a more severe and dangerous category of security flaws.
Earlier this week, QiAnXin, a Chinese security company, disclosed that it has successfully come up with a way to exploit the vulnerability and perform a successful attack with its help as a proof-of-concept.
The researchers at QiAnXin haven’t shared any technical details about their successfull exploitation of the RCE bug, but another cybersecurity company based in Hong Kong has also stated that it has been able to exploit this vulnerability. That company’s name is Sangfor and it publicly shared their proof-of-concept code on GitHub. The PoC was available to the public for a few hours before it was taken down. The Sangfor company gave this vulnerability the PringNightmare codename.
Zhiniang Peng, the Principal Security Researcher at Sangfor, stated that the company has deleted the PoC and that it advises Windows users to update their OS to its latest version and/or to disable the Spooler service as means of protecting their PC from potential attacks that try to exploit the newly-discovered bug.
This isn’t the first instance of vulnerabilities being detected in the Windows Print Spooler service. Last year, Microsoft has fixed at least three other bugs related to the same service, namely CVE-2020-1048, CVE-2020-1300, and CVE-2020-1337. Back in 2010, a vulnerability in the Print Spooler service was even used to spread the Stuxnet worm threat that targeted nuclear installations in Iran.