PrintNightmare: Critical Windows print spooler RCE vulnerability

printnightmare banner

PrintNightmare: Critical Windows print spooler RCE vulnerability

  Cyvatar | 03/29/2023

In June 2021, Microsoft addressed a minor vulnerability in the Windows Print Spooler, a service that is responsible for printing management in Windows. After a fortnight, the impact of the vulnerability was changed from minor to Remote Code Execution (RCE).


Even though it was officially fixed, it was found that an RCE could still run with system privileges on the OS by taking advantage of the spooler service. The vulnerability was termed PrintNightmare. A nightmare indeed!

What is PrintNightmare vulnerability?

The PrintNightmare CVE-2021-34527 vulnerability allows attackers to execute remote code on your devices and take control of them. The Microsoft printer vulnerability exists on all devices that run Windows 7 or higher.

It affects the Windows Print Queue and resides in the Windows Print Spooler service. It is to be noted that the Print Queue service doesn’t restrict access to the RpcAddPrinterDriverEx function. The latter enables attackers to run malicious programs on the user’s device.

What is the RpcAddPrinterDriverEx function?

The CERT Coordination Center at Carnegie Mellon University says:

“The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.”

Attackers who exploit this vulnerability get system-level privileges. It implies that they can access sensitive data and even edit or delete it. They can also create new accounts or install programs.

PrintNightmare Timeline

printnightmare timeline

How does PrintNightmare exploit work?

Microsoft says: “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.” The exploit takes advantage of the RpcAddPrinterDriverEx() function; it is used to install printer drivers on a system. The feature allows authenticated users to install new printer drivers in Microsoft environments.

PrintNightmare takes advantage of the fact that new print drivers can be installed by pointing to the malicious driver file. By doing so, it allows the attacker to cause the Print Spooler service to execute arbitrary code.

It remotely calls the RpcAddPrinterDriverEx() function and sends a malicious DLL, usually over encrypted protocols. It allows attackers the ability to install malicious code with SYSTEM level privileges.

The attackers get access to critical systems that let them install new programs, create new accounts with full privileges, and modify existing data.

Why is PrintNightmare dangerous?

  1. By default, the Windows Print Spooler is enabled on all Windows-based systems. It also includes domain controllers and computers that have system admin privileges. Therefore, all systems are vulnerable.
  2. The proof-of-concept (POC) exploit for PrintNightmare was accidentally published online. The researchers were of the opinion that Microsoft’s patches in June had solved the problem. That’s how the POC was shared across the community. Because of this leak, it is likely that more people will try to use PrintNightmare in this way.
  3. The vulnerability has the ability to affect domain controllers in enterprise networks.
  4. An attacker can gain full control over the targeted system by executing arbitrary code, such as a dynamic link library (DLL) or a Windows executable, with administrative privileges.
  5. It could be used by ransomware groups in the future, just like any other critical vulnerability.

How to protect yourself against the PrintNightmare vulnerability?

Let us look at the different ways an organization can protect itself against the PrintNightmare vulnerability.

  1. Install updates

If you want to reduce the chances of a PrintNightmare RCE vulnerability, then the first step is to install the relevant patches.

The updates can be manually installed by going to Settings > Update & Security > Windows Update.

Restart the system after installing the updates to see the changes. Apply the patches that are currently available. When and if Microsoft releases the next set of patches, update them too.

  1. Disable the Print Spooler service

When you turn off the Print Spooler service, you turn off both local and remote printing. Do this for devices, services, and applications that do not require print services.

The Print Spooler vulnerability can be addressed by disabling it using the following PowerShell command:

-> Stop Service- Name Spooler- Force

-> Set- Service- Name Spooler- StartupType Disabled

-> Run Get- Service- Name Spooler

-> Run Stop- Service- Name Spooler- Force

The first command stops the service, and the second one deactivates it.

Note: To install the final patch released by Microsoft, you must re-enable the Print Spooler so that you can normally print on your system.

  1. Modify the system’s user privileges

If you do not want to disable the Windows Print Spooler service, the next best thing is to modify the system’s user privileges.

By doing so, the user can not write in the %SYSTEM%\System32\spool\drivers\ directory. The modification made to the user privileges blocks the deployment of Windows executables or attacker-provided DLLs.

You can execute the following PowerShell script for the above to happen:

$Path = “C:\Windows\System32\spool\drivers”
$Acl = Get-Acl $Path
$Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)
Set-Acl $Path $Acl
  1. Check for exploitation attempts

To check for exploitation attempts, run the following PowerShell script: 

Get-WinEvent -LogName ‘Microsoft-Windows-PrintService/Admin’ | Select-String -InputObject {$_.message} -Pattern ‘The print spooler failed to load a plug-in module’.

The log message indicates that the Windows Print Spooler service tried to execute a DLL or Windows executable. It would have been provided by an attacker who was exploiting PrintNightmare.

  1. 0Patch

This patch provides users with micro-patches that solve bugs and vulnerabilities. The patches that Microsoft releases are only to detect and replace vulnerable libraries. 0Patch locates the vulnerability in the RAM’s memory and patches it directly.

By doing so, users are protected, and Windows’ integrity doesn’t change. It is available for all editions of Windows Server (2012 to 2019). Users can protect themselves without having to alter the system file. These patches are slated to be free until Microsoft releases theirs.

  1. Use group policy to disable inbound remote printing

Block inbound printing by disabling the ‘Allow Print Spooler to accept client connections’ option. The Group Policy blocks the inbound remote printing processes and prevents the remote attack vector. The system will not work as a print server anymore.

Open the local group policy console first:

And follow the following steps to disable inbound remote printing:

Computer Configuration > Administrative Templates > Printers

For the changes to take effect, you have to restart the Print Spooler service. Don’t forget that you can still connect it to a local printer even if you turn off remote printing.

  1. Employ a powerful endpoint security solution

The next step after installing patches and disabling remote printing is to look for ways to mitigate the chances of a future incident.

Endpoint security solutions are highly effective at this, as they protect endpoints such as laptops, mobile devices, and desktops from getting exploited by malicious actors.

Many endpoint security solutions use a technique called deep packet inspection that detects and quarantines threats when they show up. 

The Endpoint Protection Platform (EPP) is a set of endpoint protection technologies that work together. It has features for server and desktop computers like intrusion prevention, data encryption, antivirus, anti-malware, and firewall.

  1. Take backups

If the system is compromised, the attackers can access the data and do anything to it. They can even wipe the entire data set. It is better to take online and offline backups so that everything can be restored as is.

  1. Be mindful of new accounts and access

When someone exploits the PrintNightmare vulnerability, they can easily create new accounts and access sensitive data. Since this possibility is a security nightmare, you have to implement a solution that can detect unauthorized account creation and access.

There are a number of threat detection technologies in place that use multiple terminologies. They can be difficult for your security team to make sense of since there are too many services in existence.

Here’s what we would like to suggest: User Behavior Analytics (UBA) and Data-Centric Auditing & Protection (DCAP).

The UBA and DCAP solutions leverage artificial intelligence and machine learning algorithms to detect aberrations in user behavior. When real-time alerts are sent to the security team, it becomes possible to respond to PrintNightmare vulnerability attacks in a timely manner.

  1. Managed Detection and Response (MDR) service

MDR is an outsourced service that provides enterprises with threat-hunting services. Once the threats are discovered, it is also capable of responding to them.

An MDR service identifies malicious behavior that comes from legitimate processes, like the one exposed by the vulnerability.

  1. Training programs

To stop unauthorized access, you need to teach your employees about the different ways that attackers use phishing.

Most of the time, it is an unsuspecting employee who provides access to a malicious actor. Why? because they are not told to suspect any behavior different from the norm.

Conduct regular awareness campaigns about how to spot phishing messages. Give them a step-by-step process of what they should do if they are faced with such a situation. Providing a clear guide helps your employees make the right decisions.

Road ahead

Hackers will do anything possible to break into your network. They are skilled enough at getting to know about new vulnerabilities in your system much before your security team does. To stop these kinds of attacks, you need to have a lot of experience and proactive tools in place.

We are in a world marching towards zero trust, and rightly so. Your security systems should be persistent. Your data should be secure at all times, whether it is at rest, in transit, or in use, regardless of the file type or application being used.

The Cyvatar team is here to help. Let’s secure your network and organization.

Circa Las Vegas

Thurs. Aug 5th

Cybersecurity Reunion Pool Party at BlackHat 2021