Skip to the main content.
Get Demo
Get Demo
Linkedin X YouTube

1 min read

Print Nightmare Exploit Scanner & Workaround (CVE-2021-34527)

Picture of Emre Tınaztepe Emre Tınaztepe : Fri, Sep 10, '21

Binalyze DRONE Incident Response DFIR Products & Solutions
Featured Image
Update 2: 14th July 2021

Microsoft recently released a patch for this vulnerability. Please get more information using the link below:

 
Update: 1st July 2021, 1.03am

We have released a FREE version of DRONE that scans the machine against indicators of the Print Nightmare exploit (CVE-2021-34527and applies a workaround of stopping Spool Service so that even if the machine is unexploited now, future attempts of exploitation would be prevented until Microsoft releases a patch for this vulnerability.

Steps to use DRONE for Print Nightmare scanning and remediation:

  1. Download DRONE 1.4.0 from here

  2. Run it with the command-line DRONE.exe -a pnm -n 

Note: If you have Chrome installed on the machine, you can also run DRONE in Tower mode in the browser by simply double clicking the executable and enabling the CVE scanner and Event Records Analyzer (See Image 2 below). Optionally, you can enable all analyzers (auto-pilot mode) to have an automated compromise assessment in parallel.

If you want to monitor exploited machines via your SIEM, you can enable Syslog option for forwarding the findings to your SIEM (–syslog). Refer to help drone.exe /h for more information. 

print-nightmare-exploit-scanner

Image 1: Scanning in Command Line
print-nightmare-exploit-scanner
Image 2: Scanning in Tower Mode
print-nightmare-exploit-scanner
Image 3: Scan Results

 

Does DRONE apply the workaround?

Yes. Once the analysis completes, DRONE will automatically stop the Spool Service and disable the auto-start setting of the Spool Service as a temporary workaround until Microsoft releases a patch.

How will I re-enable the Spool Service? (do not perform this action until a security patch is available) 

From the command line, issue the following commands to reenable the Spool Service:

Original Post

Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems. The vulnerability impacts Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows OS, applications, and local or networked printers, allowing app developers to easily initiate print jobs.

The service has been included in Windows since the 90s and is one of the operating system’s most buggy processes, with many vulnerabilities being discovered across the years, including bugs such as PrintDemonFaxHellEvil PrinterCVE-2020-1337, and even some of the zero-days used in the Stuxnet attacks. CVE-2021-1675, the latest in this long line of Print Spooler bugs, and was initially discovered by security researchers from Tencent Security, AFINE, and NSFOCUS earlier this year.