PrintNightmare

Critical Windows Print Spooler vulnerability allowing remote code execution with system privileges. Understanding CVE-2021-34527 and CVE-2021-1675, their exploitation techniques, and effective mitigations.

Description

PrintNightmare is a critical vulnerability in the Windows Print Spooler service that executes as the spoolsv.exe process on Windows systems. This vulnerability encompasses two related CVEs: CVE-2021-34527 (remote code execution) and CVE-2021-1675 (local privilege escalation), both affecting the Windows Print Spooler's handling of printer driver installations.

An adversary who successfully exploits PrintNightmare can achieve full system control by executing arbitrary code—such as dynamic link libraries (DLLs) or Windows executables—with SYSTEM privileges. The vulnerability stems from improper handling of printer driver installation via the RpcAddPrinterDriverEx() function, which can be abused to load malicious drivers without proper authentication or validation.

In Active Directory environments, successful exploitation can lead to lateral movement and potential domain compromise, making this one of the most severe Windows vulnerabilities discovered in recent years.

Critical Impact Alert

PrintNightmare can be exploited both locally and remotely, allowing attackers to gain SYSTEM privileges and potentially compromise entire Active Directory domains. The vulnerability remained partially exploitable even after initial patches due to Point and Print policy configurations.

Impact

Remote Code Execution (RCE): Attackers can execute arbitrary code with SYSTEM privileges on vulnerable systems
Local Privilege Escalation: Low-privileged users can escalate to SYSTEM level access
Lateral Movement: In domain environments, compromised systems can be used to attack other domain-joined machines
Domain Compromise: Print servers in Active Directory environments can provide pathways to domain controller compromise
Persistence: Malicious printer drivers can be installed as a persistence mechanism
Credential Harvesting: SYSTEM-level access enables extraction of cached credentials and security tokens

The vulnerability is particularly dangerous because the Print Spooler service runs by default on most Windows systems and domain controllers.

Technical Details

PrintNightmare exploits the Windows Print Spooler's driver installation mechanism through several attack vectors:

CVE-2021-34527 (Remote Code Execution)

Allows remote attackers to install malicious printer drivers
Exploits the RpcAddPrinterDriverEx() function via MS-RPRN protocol
Can be triggered remotely if Print Spooler service is accessible

CVE-2021-1675 (Local Privilege Escalation)

Enables local users to install printer drivers and escalate privileges
Bypasses driver signing requirements through Point and Print functionality
Exploits trust relationships in Active Directory environments

Common Attack Scenarios

Remote exploitation via network-accessible Print Spooler services
Local exploitation by authenticated low-privilege users
Lateral movement through domain trust relationships
Print server compromise leading to domain-wide impact

Detection

PrintNightmare exploitation can be detected through various monitoring approaches:

Event Log Monitoring:
- Event ID 316 (printer driver installation)
- Event ID 808 (print processor installation)
- Unusual print-related activities in System and Security logs
Network Monitoring:
- Suspicious RPC traffic to Print Spooler (MS-RPRN protocol)
- Unexpected connections to TCP port 445 (SMB) for driver downloads
- Abnormal print service enumeration activities
File System Monitoring:
- Unauthorized files in C:\Windows\System32\spool\drivers\
- Suspicious DLL installations in printer driver directories
- Modified or new files in print processor locations
Process Monitoring:
- Unusual child processes spawned by spoolsv.exe
- Unexpected network connections from Print Spooler service
- Abnormal memory allocation patterns in the spooler process

Remediation

Prioritized steps to mitigate PrintNightmare vulnerabilities:

Immediate Actions

Apply Microsoft Security Updates:
- Install KB5004945 (July 2021) and subsequent updates
- Verify patch installation with Get-HotFix PowerShell command
- Test patches in non-production environments first
Disable Print Spooler Service (if printing not required):
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

Registry-Based Mitigations

Configure Point and Print policies to prevent exploitation:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"NoWarningNoElevationOnInstall"=dword:00000000
"UpdatePromptSettings"=dword:00000000
"NoWarningNoElevationOnUpdate"=dword:00000000
"TrustedServers"=dword:00000001
"ServerList"="print.company.com"

Network-Level Controls

Restrict Print Spooler Access:
- Block TCP port 445 (SMB) and 135 (RPC Endpoint Mapper) where possible
- Implement network segmentation for print servers
- Use Windows Firewall to limit Print Spooler access
Monitor RPC Traffic:
- Deploy network monitoring for MS-RPRN protocol abuse
- Alert on unusual print service enumeration activities

Active Directory Hardening

Limit Print Service Permissions:
- Remove "Print Operators" group from domain controllers
- Restrict printer installation rights to administrators only
- Audit existing printer driver installations
GPO Configuration:
- Deploy Point and Print restrictions via Group Policy
- Disable "Allow users to install printer drivers" policy
- Enable "Only use Package Point and Print" setting

Detection and Monitoring

Enable Audit Policies:
auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

PowerShell Monitoring:

# Check for suspicious printer drivers
Get-PrinterDriver | Where-Object {$_.InfPath -like "*temp*" -or $_.InfPath -like "*users*"}
 
# Monitor Print Spooler service status
Get-Service Spooler | Select-Object Name, Status, StartType

Verification

To confirm successful remediation:

Patch Verification:
Get-HotFix | Where-Object {$_.HotFixID -eq "KB5004945"}
Service Status Check:
Get-Service Spooler | Format-List Name, Status, StartType
Registry Validation: Verify Point and Print policies are correctly configured
Get-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
Driver Audit:
Get-PrinterDriver | Select-Object Name, InfPath, DriverVersion

Exploitation Examples

Remote Exploitation (CVE-2021-34527)

The vulnerability can be exploited remotely using tools like:

Impacket's rpcdump.py and custom RPC clients
Metasploit modules for PrintNightmare exploitation
Custom PowerShell scripts leveraging RPC functions

Local Privilege Escalation (CVE-2021-1675)

Local exploitation typically involves:

Installing malicious printer drivers as low-privilege user
Leveraging Point and Print to bypass UAC
Executing payload with SYSTEM privileges

Responsible Disclosure

These examples are provided for defensive purposes only. Security professionals should use this information to better understand attack vectors and improve defensive measures.

References

Next Steps

If PrintNightmare vulnerabilities are found during testing:

Immediately assess scope of Print Spooler exposure across the environment
Priority patch deployment for all Windows systems, especially domain controllers
Review domain trust relationships and printer deployment policies

Takeaway: PrintNightmare represents one of the most critical Windows vulnerabilities in recent years. The combination of remote code execution capabilities and potential for domain compromise makes immediate patching and mitigation essential for all Windows environments. Organizations should treat Print Spooler security as a critical infrastructure concern.

PrintNightmare

On this page