Proof-of-concept exploit code for CVE-2021-1675 flaw, an attacker could exploit it to compromise Windows systems.
Proof-of-concept exploit code for the CVE-2021-1675 flaw has been published online, the flaw impacts the Windows Print Spooler service and could be exploited to compromise Windows systems.
Microsoft addressed the flaw with the release of Microsoft June 2021 Patch Tuesday security updates.
The vulnerability resides in Print Spooler (spoolsv.exe) service that manages the printing process, it impacts all Windows OS versions
CVE-2021-1675 was initially rated as a low-importance elevation-of-privilege vulnerability, but recently the IT giant reviewed the issue and labeled it as a remote code execution flaw.
Last week, researchers from Chinese security firm QiAnXin published a GIF showing a working exploit for the CVE-2021-1675 flaw, but avoided disclosing the technical details about the attack.
Recently, we found right approaches to exploit #CVE-2021-1675 successfully, both #LPE and #RCE. It is interesting that the vulnerability was classified into #LPE only by Microsoft, however, it was changed into Remote Code Execution recently.https://t.co/PQO3B12hoE pic.twitter.com/kbYknK9fBw
— RedDrip Team (@RedDrip7) June 28, 2021
However, The Recod noticed that the availability of a fully working PoC exploit on GitHub earlier today, the code was likely accidentally published and the GitHub repo has been taken offline after a few hours.
“Authored by three analysts from Chinese security firm Sangfor, the write-up, which we will not link here, details how the trio discovered the bug independently from the teams who reported the vulnerability to Microsoft.” reported The Record.
It seems that the trio decided to publish the PoC aftet QiAnXin researchers shared the video of the CVE-2021-1675 exploit.
The experts removed the PoC a few hours later because they will present it at the Black Hat USA 2021 security conference later this year.
We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ
— zhiniang peng (@edwardzpeng) June 29, 2021
Unfortunately, it was too late because other users had access to the code before it was taken offline.
Looks like the original PoC for PrintNightmare (CVE-2021-1675) got deleted but someone has forked it since https://t.co/8MiP62SlzC
— Andy Gill (@ZephrFish) June 29, 2021
#POC
PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service https://t.co/R3ldQKrXOX pic.twitter.com/B9N2guWdTy— blackorbird (@blackorbird) June 29, 2021
Threat actors will likely attempt to exploit the issue in attacks in the will in the next weeks.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, CVE-2021-1675)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Proof-of-concept exploit code for CVE-2021-1675 flaw, an attacker could exploit it to compromise Windows systems.
Proof-of-concept exploit code for the CVE-2021-1675 flaw has been published online, the flaw impacts the Windows Print Spooler service and could be exploited to compromise Windows systems.
Microsoft addressed the flaw with the release of Microsoft June 2021 Patch Tuesday security updates.
The vulnerability resides in Print Spooler (spoolsv.exe) service that manages the printing process, it impacts all Windows OS versions
CVE-2021-1675 was initially rated as a low-importance elevation-of-privilege vulnerability, but recently the IT giant reviewed the issue and labeled it as a remote code execution flaw.
Last week, researchers from Chinese security firm QiAnXin published a GIF showing a working exploit for the CVE-2021-1675 flaw, but avoided disclosing the technical details about the attack.
Recently, we found right approaches to exploit #CVE-2021-1675 successfully, both #LPE and #RCE. It is interesting that the vulnerability was classified into #LPE only by Microsoft, however, it was changed into Remote Code Execution recently.https://t.co/PQO3B12hoE pic.twitter.com/kbYknK9fBw
— RedDrip Team (@RedDrip7) June 28, 2021
However, The Recod noticed that the availability of a fully working PoC exploit on GitHub earlier today, the code was likely accidentally published and the GitHub repo has been taken offline after a few hours.
“Authored by three analysts from Chinese security firm Sangfor, the write-up, which we will not link here, details how the trio discovered the bug independently from the teams who reported the vulnerability to Microsoft.” reported The Record.
It seems that the trio decided to publish the PoC aftet QiAnXin researchers shared the video of the CVE-2021-1675 exploit.
The experts removed the PoC a few hours later because they will present it at the Black Hat USA 2021 security conference later this year.
We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ
— zhiniang peng (@edwardzpeng) June 29, 2021
Unfortunately, it was too late because other users had access to the code before it was taken offline.
Looks like the original PoC for PrintNightmare (CVE-2021-1675) got deleted but someone has forked it since https://t.co/8MiP62SlzC
— Andy Gill (@ZephrFish) June 29, 2021
#POC
PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service https://t.co/R3ldQKrXOX pic.twitter.com/B9N2guWdTy— blackorbird (@blackorbird) June 29, 2021
Threat actors will likely attempt to exploit the issue in attacks in the will in the next weeks.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, CVE-2021-1675)