Overview
The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Description
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.
While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT address the public exploits that also identify as CVE-2021-1675.
Exploit code for this vulnerability that targets Active Directory domain controllers is publicly available as PrintNightmare.
Impact
By sending an RpcAddPrinterDriverEx() RPC request, e.g. over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Solution
The CERT/CC is currently unaware of a practical solution to ..
Support the originator by clicking the read the rest link below.
