PrintNightmare: How the rush of researchers armed cybercriminals

A race between researchers led to the publication of a tutorial to exploit a flaw … which was not yet fixed. This vulnerability named PrintNightmare is found in virtually all versions of Windows.

The PrintNightmare vulnerability, the ” nightmare of impressions “Agitates the world of cybersecurity in early July. This vulnerability is what is called in the jargon an RCE (Remote Code Execution), a type of flaw that allows code to be executed on a computer remotely. In this case, it makes it possible to infiltrate a company system and even the Active Directory, a sort of network control tower. To launch it, all you need to do is gain access to the network, for example by purchasing credentials. The door opened by PrintNightmare would make it possible at the end of the chain to steal documents or even deploy ransomware.

The vulnerability is located in Windows Print Spooler, or spoolsv.exe, the service responsible for the process of printing documents, included in virtually all versions of the Microsoft operating system. In other words, the potential targets of an attack number in the hundreds of millions.

Oh wow! It wasn’t the intern’s fault. // Source: CCO / Pxhere

As of June 2, three days after the first signs of PrintNightmare exploitation, Windows has not yet been able to deploy a hotfix patch. In the meantime, the company has therefore issued a detailed alert, in which it advises users to either disable Windows Print Spooler or disable the setting that allows printing without being directly connected by cable to the machine.

In short: protecting yourself from the exploitation of the flaw is not very complicated, but generates difficulties of use. Especially since Windows Print Spooler does not only organize the paper printing, it is also it which supports the conversion of a Word document in PDF or OneNote format for example.

Everything starts from a dumpling

As early as June 29, before the vulnerability began to be exploited, The Record Media had looked into the strange appearance of PrintNightmare, due to… an error. A team of three researchers from the Chinese company Sangfor has published a proof of concept (ie an exploitation practice) for a Windows Print Spooler vulnerability that they thought has already been corrected in Microsoft’s latest patch, the CVE -2021-1675.

Except that the loophole they exploited was not the one they believed, but another, now named CVE-2021-34527. Result: their publication revealed a “0-day”, nickname given to the flaws without patch, without their being aware of it. The researchers withdrew their work in the following hours, but the damage was already done: several GitHub users had already copied their code, and some even republished it in the following days. Time was running out before the tool was used for malicious purposes.

Oops, the researchers released a 0-day. // Source: The stupid dinner

To understand the origin of the “ball”, we must rewind some time earlier, Tuesday, June 8, 2021, day of the monthly Microsoft “patch Tuesday”. During this meeting, the company publishes fixes for the dozens of vulnerabilities recently discovered in its software. It ranks them by type and by “criticality”, an indicator of dangerousness. This June patch therefore came to fix 50 flaws, and among them, the CVE-2021-1675, which had no reason to make the headlines. It had been discovered by three different research teams earlier in the year, and Microsoft described it as a low-grade, “elevation of privilege” flaw. In other words, it could be used by an average user of the network to gain administrator rights, but the attack scenarios to exploit it were particularly laborious.

A race for exclusivity that drifts

When the editor presents the flaw, it does not specify how to exploit it, and above all it is already no longer effective on updated systems. If a cybercriminal wants to take advantage of the vulnerability, then they have to reverse engineer the patch to figure out how to exploit it, and then create the tool. Substantial work, which may require a high level of skills and which will be unnecessary on up-to-date systems. The flaw was not interesting enough to justify this work.

Except that a few weeks later, Microsoft reclassified CVE-2021-1675 as RCE. Several researchers then looked into the subject: those from Sangfor, but also from another Chinese company, QiAnXin. The latter published on June 28 a GIF to prove that they had found proof of concept for the flaw, except that they did not provide technical details with it. Among other things, they wanted to give more users time to deploy the patch, and their little animation did not give any indicator to reproduce their manipulation.

A quick patch?

The problem is that this GIF was enough to get the Sangfor researchers off the rails, who made the code and technical details of their own proof of concept available to everyone. However, they wanted to preserve it for a Chinese hacking contest and then for a presentation at the Black Hat USA conference. They therefore rushed the publication of their work for fear of not having primacy, without realizing that they were revealing a flaw that had not yet been corrected. They are the ones who baptized PrintNightmare… and who indirectly started the wave of attacks.

As The Record Media reminds us, Windows Print Spooler has been known to be a hotbed of dangerous vulnerabilities since the 90s. PrintNightmare is just the last name in a long list which contains Print Demon, Evil Printer and the famous Stuxnet. The problem has grown to such an extent that Windows is expected to issue a patch for the flaw as soon as possible, before the next Tuesday patch, set for July 12.

Related Articles