The vulnerability ( CVE-2021-1675 ), dubbed PrintNightmare, was fixed in early June this year and affects the print spooler (spoolsv.exe), a Windows service that acts as a universal interface between Windows, applications and local or network printers.
This service is one of the most problematic processes in the operating system, many vulnerabilities have been found in it over the years, including PrintDemon, FaxHell, Evil Printer, CVE-2020-1337 and even zero-day vulnerabilities.
The issue was originally classified as a privilege elevation vulnerability that could allow an attacker to gain administrator privileges, but Microsoft has updated the description to classify CVE-2021-1675 as a remote code execution vulnerability.
No technical details or PoC code was provided on the issue to exploit the vulnerability. Last week, Chinese cybersecurity firm QiAnXin released a GIF showing the exploitation of the problem for the first time without any technical details. A fully working PoC exploit was then published on GitHub. As it turned out, information security specialists from Sangfor discovered the problem independently of the team that reported the vulnerability to Microsoft. The researchers hoped to keep the technical details a secret until the start of the Tianfu Cup hacking competition. As the experts explained, since QiAnXin posted a video about the CVE-2021-1675 exploit, they decided to publish a full description of the problem and the PoC code.
However, after a few hours, the team of researchers decided to delete the publication, realizing that they had disclosed the full report that they planned to present at the Black Hat USA cybersecurity conference 2021. The repository was removed from GitHub, but by that time the information about the vulnerability had already been copied by other users. Currently, the PoC code for exploiting the vulnerability is spreading in closed information communities and, presumably, in the coming days will again be in the public domain.
Since CVE-2021-1675 is classified by Microsoft as an RCE vulnerability, and the PoC code for its exploitation has appeared in the public domain, companies are encouraged to apply the fixes as soon as possible.
The vulnerability affects all versions of Windows, including Windows XP and Windows Vista.