CVE-2021-34527 or Windows Print Spooler Remote Code Execution Vulnerability
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
According to Microsoft, this vulnerability can only be exploited if the “NoWarningNoElevationOnInstall” key in the registry is set to 1.
The artifact scans the device registry to check if the beforementioned key exists or not; if it is undefined or doesn’t exist, then the system is not vulnerable to the PrintNightmare. Otherwise, the system is considered to be vulnerable to exploitation.
This vulnerability can be exploited using the Evil Printer attack.
Changing the registry values from 1 to 0 or Disabling the spooler when it’s not in use is recommended as the next step after applying the patch. The following VQL query looks for the registry values to find a registry key named “NoWarningNoElevationOnInstall”.
References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://nvd.nist.gov/vuln/detail/CVE-2021-34527
name: Windows.Registry.PrintNightmare
description: |
CVE-2021-34527 or Windows Print Spooler Remote Code Execution Vulnerability
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
According to Microsoft, this vulnerability can only be exploited if the “NoWarningNoElevationOnInstall” key in the registry is set to 1.
The artifact scans the device registry to check if the beforementioned key exists or not; if it is undefined or doesn’t exist, then the system is not vulnerable to the PrintNightmare. Otherwise, the system is considered to be vulnerable to exploitation.
This vulnerability can be exploited using the Evil Printer attack.
Changing the registry values from 1 to 0 or Disabling the spooler when it's not in use is recommended as the next step after applying the patch.
The following VQL query looks for the registry values to find a registry key named “NoWarningNoElevationOnInstall”.
References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Diving-Into-Spooler-Discovering-Lpe-And-Rce-Vulnerabilities-In-Windows-Printer.pdf
https://nvd.nist.gov/vuln/detail/CVE-2021-34527
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
author: Daksh Gajjar - @dakshgajjar
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: SearchRegistryGlob
default: \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\**
description: Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design
sources:
- query: |
SELECT Name as KeyName,
FullPath,
Data.type as KeyType,
Data.value as KeyValue,
Sys,
ModTime as Modified
FROM glob(globs=SearchRegistryGlob, accessor='registry')
WHERE KeyType = "DWORD"
AND KeyName =~ "NoWarningNoElevationOnInstall"
column_types:
- name: Modified
type: timestamp