Microsoft addressed a local privilege escalation flaw tracked as CVE-2021-1675 in the Print Spooler service in June 2021, but the impact of this vulnerability was modified to RCE after some days. Researchers found the fix was ineffective, and the operating system was still vulnerable to RCE running with SYSTEM privileges. The new flaw was tracked as CVE-2021-34527 and called PrintNighmare.
The PrintNighmare vulnerability is one of the most dangerous vulnerabilities discovered in the past few years, impacting Windows operating systems. The flaw takes advantage of the RpcAddPrinterDriver call that is part of the Windows Print Spooler.
In detail, the vulnerability chain is composed of the following steps:
The client invokes the RPC call to remotely add a new driver on a local folder or use the SMB protocol. For this, a valid account is needed. The object “DRIVER_INFO_2” is then allocated, initializing the “DRIVER_CONTAINER” object. The “DRIVER_CONTAINER” is used along with the RpcAddPrinterDriver call to load the driver. The driver — a malicious DLL — contains the malicious code that will be executed in the context of the SYSTEM user. Any user who can authenticate on the Spooler service could execute this scenario. Technical details of the PrintNightmare flaw