Researcher releases PoC for Windows Print Spooler remote code execution vulnerability
Recently, The security researchers disclosed the POC of the Windows Print Spooler remote code execution vulnerability on GitHub, the vulnerability number is CVE-2021-1675 with the CVSS:3.0 score of 7.8 / 6.8.
Windows Print Spooler is widely used in various intranets. Attackers can use this vulnerability to bypass the security verification of PfcAddPrinterDriver and install malicious drivers in the print server. If the user was controlled by the attacker is in the domain, the attacker can connect to the Spooler service in the DC, and use the vulnerability to install malicious drivers in the DC to completely control the entire domain environment.
The vulnerability exists widely in all Windows versions, and the complexity of exploitation is medium. However, because an attacker who successfully exploited the vulnerability can completely control the domain environment and cause very serious consequences, the exploit value of the vulnerability is extremely high.
Vulnerability Detail
The vulnerability is due to a code flaw in the SeLoadDriverPrivilege that sends an RPC request. Users can change the code execution logic through controllable parameters to bypass security detection. Verified users can install malicious code in the printer service, resulting in the effect of code execution.
Solution
In this regard, we recommend that users upgrade Windows to the latest version in time. If the users are temporarily unable to update the patch, they can be relieved by disabling the Print Spooler service: