CVE-2021-34527 Print Spooler

Windows Print Spooler Remote Code Execution Vulnerability

Detail

Per Microsoft, "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights"

PoC

https://github.com/cube0x0/CVE-2021-1675

Detection

rpcdump.py is part of the impacket suite of tools.

rpcdump.py @$IP | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Mitigation

Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable

REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    RestrictDriverInstallationToAdministrators    REG_DWORD    0x0
    NoWarningNoElevationOnInstall    REG_DWORD    0x1

Disable Spooler service

Stop-Service Spooler
REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start" /t REG_DWORD /d "4" /f

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-34527

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

PreviousCVE-2019-18634 Sudo < 1.8.26NextWriting Suricata Rules

Last updated