ICT379 Security Architectures and Systems Administration

PROJECT REPORT > ICT379 Security Architectures and Systems Administration

Murdoch University ICT 379 Introduction The term "PrintNightmare" is commonly used to refer to a specific vulnerability known as Remote Code Execution, which affects the Print Spooler service (spoolsv.exe) in Microsoft Windows Operating Systems. The assigned Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability is CVE-2021-34527. At th ...[Show More]

Murdoch University
ICT 379
Introduction

The term "PrintNightmare" is commonly used to refer to a specific vulnerability known as Remote Code Execution, which affects the Print Spooler service (spoolsv.exe) in Microsoft Windows Operating Systems. The assigned Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability is CVE-2021-34527.

At the outset, the identified vulnerability was classified as a Local Privilege Escalation (LPE) and subsequently designated as CVE-2021-1675. In June 2021, low severity updates were promptly issued to address the LPE vulnerability. Approximately two weeks later, Microsoft revised the classification of the Low Privilege Escalation (LPE) vulnerability from low severity to severe.

This adjustment was made due to the discovery that the existing patches were circumvented, resulting in the successful exploitation of the vulnerability and the assignment of CVE-2021- 34527 for the obtained Remote Code Execution.

There are two primary reasons why PrintNightmare is widely regarded as highly hazardous. The default activation of the Windows Print Spooler on all Windows-based systems, including domain controllers and computers with system administrator credentials, renders these machines susceptible to security risks.

Furthermore, a miscommunication among teams of researchers, potentially coupled with a minor error, resulted in the discovery of an exploit for the vulnerability known as PrintNightmare. The researchers involved expressed a high level of confidence that the problem had been resolved by Microsoft's June patch, leading them to disseminate their findings among the expert community.

The vulnerabilities and their exploitation

The vulnerability identified as CVE-2021-1675 pertains to a privilege elevation vulnerability. This vulnerability enables an attacker with limited privileges to gain access to the compromised computer. Microsoft classifies this vulnerability as having a relatively low level of risk.

The vulnerability identified as CVE-2021-34527 poses a substantially higher level of risk. The vulnerability in question is classified as a remote code execution (RCE) vulnerability, indicating its capability to enable the remote injection of dynamic-link libraries (DLLs). The vulnerability in question has been observed to be exploited by Microsoft.

The utilisation of the PrintNightmare vulnerability by malicious actors enables them to get unauthorised access to sensitive information within business networks, hence potentially facilitating the execution of ransomware operations.

Vulnerability Flow

MS-RPRN protocol (Print System Remote Protocol) has a method RpcAddPrinterDriverEx() which allows remote driver installation by users with the SeLoadDriverPrivilege right.