Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()


### Overview The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. ### Description The [RpcAddPrinterDriverEx()](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>) function is used to install a printer driver on a system. One of the parameters to this function is the [DRIVER_CONTAINER](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886>) object, which contains information about which driver is to be used by the added printer. The other argument, `dwFileCopyFlags`, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call `RpcAddPrinterDriverEx()` and specify a driver file that lives on a remote server. This results in the Print Spooler service `spoolsv.exe` executing code in an arbitrary DLL file with SYSTEM privileges. Note that while original exploit code relied on the `RpcAddPrinterDriverEx` to achieve code execution, [an updated version of the exploit](<https://github.com/cube0x0/CVE-2021-1675>) uses [RpcAsyncAddPrinterDriver](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/5d864e3e-5d8b-4337-89ce-cb0258ab97cd>) to achieve the same goal. Both of these functions achieve their functionality using [AddPrinterDriverEx](<https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex>). While Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does **NOT** protect against public exploits that may refer to `PrintNightmare` or CVE-2021-1675. On July 1, Microsoft released [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update. ### Impact By sending a request to add a printer, e.g. by using `RpcAddPrinterDriverEx()` over SMB or `RpcAsyncAddPrinterDriver()` over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well. We have created a flowchart to indicate exploitability of PrintNightmare across various platform configurations: ![PrintNightmare exploitability flowchart](/static-bigvince-prod-kb-eb/383432_PrintNightmare%20Flowchart-v9.png) ### Solution #### Apply an update Microsoft has addressed this issue in the [updates for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) `NoWarningNoElevationOnInstall` is set to a non-`0` value. Microsoft indicates that systems that have `NoWarningNoElevationOnInstall` is set to a non-`0` value are **vulnerable by design.** For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds: #### Apply a workaround Microsoft has listed several workarounds in their [advisory for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Specifically: #### Microsoft Option 1 - Stop and disable the Print Spooler service This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows. If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands: `Stop-Service -Name Spooler -Force` `Set-Service -Name Spooler -StartupType Disabled` **Impact of workaround** Disabling the Print Spooler service disables the ability to print both locally and remotely. #### Microsoft Option 2 - Disable inbound remote printing through Group Policy Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. **Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible. **Note:** The Print Spooler service **must** be restarted for this workaround to be activated. #### Block RPC and SMB ports at the firewall Limited testing has shown that blocking both the RPC Endpoint Mapper (`135/tcp`) and SMB (`139/tcp` and `445/tcp`) incoming traffic at a host-based firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server. #### Enable security prompts for Point and Print Ensure that the Windows Point and Print Restrictions are set to `Show warning and elevation prompt` for both installing and updating drivers in the Windows Group Policy. Specifically the `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\` key should have `NoWarningNoElevationOnInstall` and `UpdatePromptSettings` entries that are both set to `0`. #### Restrict printer driver installation ability to administrators After the Microsoft update for CVE-2021-34527 is installed, a registry value called `RestrictDriverInstallationToAdministrators` in the `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\` key is checked, which is intended to restrict printer driver installation to only administrator users. Please see [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details. ### Acknowledgements This issue was publicly disclosed by Zhiniang Peng and Xuefeng Li. This document was written by Will Dormann. ### Vendor Information 383432 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all ### Microsoft __ Affected Notified: 2021-06-30 Updated: 2021-07-08 **CVE-2021-1675**| Affected ---|--- **CVE-2021-34527**| Affected #### Vendor Statement We have not received a statement from the vendor. #### References * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527> ### References * <https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/> * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675> * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527> * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b> * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886> * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print> * <https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex> * <https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7> * <https://github.com/afwu/PrintNightmare> * <https://github.com/cube0x0/CVE-2021-1675> * <https://github.com/calebstewart/CVE-2021-1675> ### Other Information **CVE IDs:** | [CVE-2021-1675 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-1675>) [CVE-2021-34527 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-34527>) ---|--- **Date Public:** | 2021-06-30 **Date First Published:** | 2021-06-30 **Date Last Updated: ** | 2021-08-03 15:36 UTC **Document Revision: ** | 32