Binalyze DRONE is your 24/7 virtual DFIR expert who immediately highlights anomalies, rare, suspicious or dangerous events in your case report so you can get straight to the critical evidence.
Print Nightmare Exploit
Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems.
The vulnerability impacts Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows OS, applications, and local or networked printers, allowing app developers to easily initiate print jobs.
The service has been included in Windows since the 90s and is one of the operating system’s most buggy processes, with many vulnerabilities being discovered across the years, including bugs such as PrintDemon, FaxHell, Evil Printer, CVE-2020-1337, and even some of the zero-days used in the Stuxnet attacks.
CVE-2021-1675, the latest in this long line of Print Spooler bugs, and was initially discovered by security researchers from Tencent Security, AFINE, and NSFOCUS earlier this year.
Print Nightmare Exploit Scanner & Workaround (CVE-2021-1675)
Steps to use DRONE for Print Nightmare scanning and remediation:
- Download DRONE 1.4.0 from here
- Run it with the command-line DRONE.exe -a pnm -n
Note: If you have Chrome installed on the machine, you can also run DRONE in Tower mode in the browser by simply double-clicking the executable and enabling the CVE scanner and Event Records Analyzer (See Image 2 below).
Optionally, you can enable all analyzers (auto-pilot mode) to have an automated compromise assessment in parallel.
If you want to monitor exploited machines via your SIEM, you can enable the Syslog option for forwarding the findings to your SIEM (–Syslog). Refer to help drone.exe /h for more information.
Image 2: Scanning in Tower Mode
Image 3: Scan Results
Does DRONE apply the workaround?
Yes. Once the analysis completes, DRONE will automatically stop the Spool Service and disable the auto-start setting of the Spool Service as a temporary workaround until Microsoft releases a patch.
How will I re-enable the Spool Service? (do not perform this action until a security patch is available)
From the command line, issue the following commands to reenable the Spool Service:
sc start spooler
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Spooler” /v “Start ” /t REG_DWORD /d “2” /f
Install the new version of DRONE here.