back to article Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller

An infosec firm accidentally published a proof-of-concept exploit for a critical Windows print spooler vulnerability that can be abused by rogue users to compromise Active Directory domain controllers. How this happened is a little messy. Rewind to June 8's Patch Tuesday, and Microsoft issued a fix for CVE-2021-1675, which was …

  1. bazza Silver badge

    Ooooops

    The print queue is required, and must contain letters.

    1. sev.monster Bronze badge
      Coat

      Re: Ooooops

      PQ LOAD LETTER?

  2. Pascal Monett Silver badge
    Facepalm

    What the ever-loving frak ?

    "people need to prioritize disabling the print spooler service on domain controllers and mission critical servers "

    What the hell is the print spooler doing enabled on a domain controller ? Since when do you print from a domain controller ?

    I wager this situation would never happen on a Linux server, because Linux admins only enable what is needed on the server. Windows admins, on the other hand, just install Windows and let it run.

    I never print from my main PC, because the printer is on the other side of the office and the USB cord is not long enough. Do you really think I have the print spooler service enabled on my main PC ? Of course not.

    1. BinkyTheMagicPaperclip

      Re: What the ever-loving frak ?

      If you're running in a SOHO environment, it's not inconceivable that the admin and cost of separating functions into separate VMs/systems is unwanted. Having multiple Windows installations to host all the necessary domain services has been the recommendation for a very long time but that doesn't mean people listen.

      Microsoft offer their 365 services for companies that don't want to host it themselves, but who knows what rationale people have for odd configurations.

      1. ITMA

        Re: What the ever-loving frak ?

        "...but who knows what rationale people have for odd configurations"

        I know.

        When small company IT are over ruled by PhDs who know nothing about real world IT, but whenever they are given reasons why they can't do something in the way they want (such as "explicitly prohibited by the licence conditions") suddenly become "IT experts", scweam and shout and stamp their little feet until they get their way. And they never "lower themselves" to say "thank you".

        1. sev.monster Bronze badge

          Re: What the ever-loving frak ?

          This sounds like a personal experience.

          1. ITMA

            Re: What the ever-loving frak ?

            Unfortunately.... yes....

    2. cyberdemon Silver badge
      Devil

      Re: What the ever-loving frak ?

      More like, what the frak is a print spooler doing accepting "drivers" from network clients?

      Or, what the frak is a printer doing requiring a 'driver' running with system priveleges?

      i.e. Why the ducking fuck are printer drivers not standardised, or at least run in unpriveleged userspace?

      1. WolfFan Silver badge

        Re: What the ever-loving frak ?

        Good luck installing a printer driver on Windows without Admin privs.

        1. Snake Silver badge

          Re: admins

          "Good luck installing a printer driver on Windows without Admin privs."

          Exactly what OS should allow a print [device] driver to be installed *without* admin privileges?

          1. Warm Braw Silver badge

            Re: admins

            Typically, these days, printers are attached to a generic interface (USB or network) that already has a driver and the printer driver is no more than a filter that could run perfectly well in user space. There's no specific technical reason why such a filter couldn't be installed by an unprivileged user for their own use.

            It's just that we're not starting from here.

        2. Anonymous Coward
          Anonymous Coward

          Re: What the ever-loving frak ?

          You can use group policy to allow non admins to install print drivers. You can also specify which print servers they are allowed to install drivers from.

          1. Anonymous Coward
            Anonymous Coward

            Re: You can use group policy to allow non admins to install print drivers.

            There's always one.

            Look, you may know how to configure Windows, this forum is for Linux users who last touched Windows a decade ago to complain about "Windows issues" without fear of contradiction.

            Then you come along with some actual Windows knowledge and try and ruin it all!!!

            We don't want the truth, we want to carry on slagging off Windows like we've been doing for the past twenty years.

            Thank you.

            1. chuBb. Silver badge
              Pint

              Re: You can use group policy to allow non admins to install print drivers.

              Have a pint AC made me chuckle

            2. cyberdemon Silver badge
              Devil

              Re: You can use group policy to allow non admins to install print drivers.

              Yes exactly if only Windows supported libusb properly then you wouldn't need kernel drivers for most things.

              But anyone who has tried using libusb-win32 has encountered a world of pain, because windows sucks. so there :P

          2. WolfFan Silver badge

            Re: What the ever-loving frak ?

            Someone (me) who has a small network (my home net) is quite unlikely to go to the trouble of using group policy to allow Self Propelled Agents of Mass Destruction (teenagers) to install anything whatsoever. Past experience suggests to letting them install even seemingly innocuous items results in mass mayhem and someone (me) having to spend hours fixing the results. Nah, I just use admin privs… and don’t give them the admin account name, much less an admin password.

            Fortunately the youngest is due to go to uni (in Indiana! Hoo-rah!) in late August to September, assuming that it won’t be remote classes. Unfortunately the eldest, no longer a teenager but still a SPAMD, is working from home and will be for a while.

          3. Snake Silver badge

            Re: What the ever-loving frak ?

            "You can use group policy to allow non admins to install print drivers."

            That's an administrator pre-approving the equivalent of a function-limited SUDO. Admin still got involved.

            Now, please remember that I'm one of the rare Windows non-basher here on this forum.

          4. keith_w Bronze badge

            Re: What the ever-loving frak ?

            An unprivileged user uploading a new printer driver to the print server isn't an everyday occurrence and should raise suspicions."

            The article isn't talking about people installing printer drivers on their own machine.

      2. Anonymous Coward
        Anonymous Coward

        Re: What the ever-loving frak ?

        Ack, you think that's bad? Server 2016 has a Xbox Live Game Save service enabled and running.

        1. chuBb. Silver badge

          Re: What the ever-loving frak ?

          Only if you avoid all the default options and install desktop experience

    3. Claptrap314 Silver badge

      Re: What the ever-loving frak ?

      I came to post the same first two paragraphs. Downvoted for the pointless dumping on winbloze admins.

      I get what some are saying about those with limited resources. Security is not free. Sorry, but I'm still going to go ballistic on you. This is not the '80s. Running a print spooler on a domain controller is at the same level as running sendmail as root. Fix your problem.

    4. WolfFan Silver badge

      Re: What the ever-loving frak ?

      You print from a domain controller when it's a home or small company domain. At home I have a domain controller which doubles as several other roles because, well, I only have four server systems, as it's a _home network_. Printing is live on the DC because on several occasions I needed to print something out while configuring either other servers or clients.

      My printers are all network printers, not USB. I have them in locations convenient to me, rather than close to a computer, whether server or client. I tend to print to the grayscale laser on average of once every few days; it's a Brother HL-2070, and has been in service since 2005, and currently is just short of 20,000 pages printed. It's on its third drum. I suspect that when that drum dies I'll just get a new printer. I tend to print to the colour inkjet about once a week. It's an Epson WF-3530, currently using non-Epson ink and being Epson-like about it. When I replace the Brother I will probably get a Brother colour laser and dump the Epson, too.

      People still use printers. (And even fax machines; the Epson has fax capability, last used last month. I had to send something to the county government, they insist on faxes, email and texts don't cut it. I may keep the Epson around just for faxing.) People need to print from all kinds of machines. Including Linux servers. I have Linux servers at the office, and used to have one at home. And, yes, printing was turned on.

    5. Anonymous Coward
      Anonymous Coward

      Re: What the ever-loving frak ?

      Your DCs will of course be running Windows Server Core, so won't have the spooler installed unless you have manually put it on there for some reason.

      1. sev.monster Bronze badge

        Re: What the ever-loving frak ?

        A wet [paper] dream of mine. Sadly, some tools such as Azure AD Connect require some of the gubbins in Standard and supposedly cannot run on Core. No time to test or prove otherwise.

        1. Anonymous Coward
          Anonymous Coward

          Re: What the ever-loving frak ?

          You shouldn't really be putting Azure AD Connect (or anything really, but especially AD Connect) on a DC.

          We have turned everything possible into a core server, even including the on prem Exchange box we have to keep around to manage O365 synched identities. Microsoft have got much better at allowing most stuff to run without the GUI, but there are still a few idiocies like ADFS not being supported on core.

          We do still actually have one DC hanging around running the GUI. It is a heavily protected physical server that we would use to bring the virtual estate back online in the event of a full power out disaster. Means we at least have a directory and the means to manage it if everything else goes black. Hasn't happened yet and hopefully never will. A lot would have to go wrong across two datacentres to leave us in that situation, but we have planned and practiced the scenario. Should really turn this into a core server as well and manage it with a laptop with RSAT.

          1. sev.monster Bronze badge
            Unhappy

            Re: What the ever-loving frak ?

            Ahh you're giving me the tinglies. Sadly your advice falls on tired ears [sic]. Will never happen in my environment.

    6. chuBb. Silver badge

      Re: What the ever-loving frak ?

      Yeah opinion of someone who can't work out how to network print on windows (you have had nigh on 30 years to wrap head around netbios and samba) is deff into troll territory, usb too short my arse...

      Anyway dc's are worrying, would be more concerned with it running on a cert authority, or web server and yeah lots of crm/erp business critical systems need the spooler enabled for pdf generation as its less brain damaging to write a print css file than to try and code for page wrapping and overflow in a pdf lib

    7. Cynic_999 Silver badge

      Re: What the ever-loving frak ?

      Many companies operate a distributed printing system whereby users queue their prints onto the central server, which are then released on demand.

    8. Michael Wojcik Silver badge

      Re: What the ever-loving frak ?

      The DC thing is a distraction. That is, it's a real issue for some people, but not having any DCs running the Print Spooler service does not make this a non-issue. Print Spooler runs by default on Windows desktop systems, and a LOCAL_SYSTEM + Interact service with an RCE is very, very bad.

      Attackers penetrate, elevate, and pivot. A workstation exploit might not get them Domain Admin immediately, but they'll get there eventually.

  3. Anonymous Coward
    Anonymous Coward

    Still in the kernel?

    Okay, I am being lazy here and not looking this up but I recall that Redmond put the spooler in the kernel. Is it still there?

  4. BinkyTheMagicPaperclip

    Again?

    This isn't the first time the print spooler has been a vector for exploits on Windows.

    Wasn't it also an early way of recovering the administrator password too, or am I misremembering?

    1. logicalextreme Silver badge

      Re: Again?

      Innit. What is it with Windows and printers? Win 10's had more than its fair share of printer issues, too.

      If MS suddenly come out with some "revolutionary" paper-free workplace "solution" nail-gunned onto the side of Office 351 I may begin to suspect that this stuff has been not entirely accidental.

      1. IGotOut Silver badge

        Re: Again?

        On the flip side I was compltety unable to get a Samsung laser printer to work on Linux (garbage or nothing) . Going by all the forum posts, it was not unique to me.

        Took less than 30 seconds on Windows...

        So choose your poison.

        1. Anonymous Coward
          Anonymous Coward

          @"Samsung laser printer"

          You don't mention which printer but assuming this is a non-GDI device then it is quite possible that Samsung haven't bothered to release a driver for linux. MS released GDI printing (using OS software rather than printer hardware to deal with the problem of printer incompatability so what you are complaining about is not a linux problem but a printer problem.

          When I started in computing you either wrote your own printer driver or used text only output and this never really changed even with MS dominating business computing because both MS and the printer makers kept moving the goal posts and refusals on both side to make changes after one or the other changed their specifications. Even the the likes of HP I would end up using MS own drivers for the manufactorers previous models to get their latest product working in the hope that they would eventually release a working driver.

          I will tell you what I told all those people whom I supported with this problem, make certain that your printer works with your OS before you buy or accept that you are going to write your own driver or pay someone to do it for you and in my experience windows was too often no different.

          1. sev.monster Bronze badge

            Re: @"Samsung laser printer"

            I still remember having to try and force a 16-bit unsigned ASPI driver to load, behind the already ancient TWAIN32, behind a proprietary 32-bit unsigned interface, all designed for Windows 95, on a Windows 10 workstation, because they pulled a $10k old scanner out of storage and were too cheap to get another one or buy a 95 license to install in a VM or something. I never could get it to work.

    2. MyffyW Silver badge

      Re: Again?

      Indeed, @Binky, used that backdoor a couple of times on a workstation.

      Which is why - when the century was still new - I had a server hardening procedure that disabled the print spooler on DCs and other boxen that didn't require it.

  5. elsergiovolador Silver badge

    Do you hear the facepalms?

    I could hear the wave of facepalms across the globe, as intelligence agencies around the world now have to move onto the next backdoor.

  6. WolfFan Silver badge
    Gimp

    that pic

    Normally it's the other end which is pressed to the top of the scanner. And yes, on at least one occasion someone (no, not me) managed to break the glass.

    1. imanidiot Silver badge
      Holmes

      Re: that pic

      "no, not me"

      uhuh, sure. We believe you...

  7. 2+2=5 Silver badge
    Joke

    Good news and bad news

    The bad news is that it's a severe vulnerability.

    The good news is that I can use the exploit to log in and disable the print spooler service without having to wait for the admins to do it.

    ;-)

  8. This post has been deleted by a moderator

  9. Anonymous Coward
    Anonymous Coward

    And if it hadn't been for you darn kids ...

    another one top cross off of the [Insert name of State Security Service]'s list of bag of tricks.

  10. The Original Steve

    Mitigation

    "Martin Lee, technical lead at Cisco Talos, said: "Exploits such as this underline how important it is to both securely authenticate users and be in a position to identify unusual network activity."

    Which is of course true.

    It also costs a tidy sum and I can imagine a firm like Talos or its Daddy Cisco would be able to sell me something that does these things...

    As opposed to having a separate server for each role and / or using Server Core for DC workloads which is a more powerful mitigation IMHO.

    Side note: An often overlooked downside of cloud is that IT is under direct pressure to reduce VM footprint as you're paying for each VM by the minute. Even the lowest of the low on prem server gives you headroom for running a DC and a file/print server roles as two separate VM's and a Win Standard licence let's you run two VM guests.

    1. chuBb. Silver badge

      Re: Mitigation

      That's one reason I'm a fan of turning broken screen laptops into rodc's (readonly dc) for branch offices always try and convince clients you want to keep ur domain in house

  11. Anonymous Coward
    Anonymous Coward

    Just surprised...

    Printer companies aren't actively expoiting this to silently update the printer's firmware to reject all non-genuine cartridges.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just surprised...

      More surprised the FBI hasn't released a worm that uses this to disable the spooler as a matter of national security. They're always looking out for the little guy at the FBI...

    2. James O'Shea

      Re: Just surprised...

      Don't give thebastards ideas.

  12. Mage Silver badge
    Alert

    Print Queue on a server?

    Putting a printer on a Windows Server is SO 1990s.

    Use ones with ethernet built in or a raspberry PI for USB only printers.

    Best security advice maybe 30 years ago:

    Disable all services not actually used.

    1. DuncanLarge

      Re: Print Queue on a server?

      > Putting a printer on a Windows Server is SO 1990s.

      Obviously you have no idea how printing works then.

      Our cloud printing solution that prints, to the cloud, has a service running on a server which requires the print spooler.

      Otherwise no users can print to the networked printers. This service will eventually be rolled out to our other sites.

      Your "solution" only works for a small installation where one person prints at a time and doesnt authenticate on the printer. Thats quite 90's, we had to run like that recently when the printers failed to authenticate staff. It was a mess, with everyone's jobs getting mixed up.

      1. bombastic bob Silver badge
        Unhappy

        Re: Print Queue on a server?

        running quickbooks required the printer service to be running (I just tested it). it had a very unusual crash when the print spooler was disabled and kept wanting to send some failure code someplace. This was on a Windows 7 workstation. I put the spooler in 'manual' startup mode after, will start to run things that need it, then stop again. Irritating,yeah.

        I have to wonder if there's some easier way to prevent network access to a 7 workstation from exploiting this... (and don't say "Install WIn-10-nic" because THAT isn't happening)

        Also since the article said Windows 7 was vulnerable, even when it is NOT a domain controller, what is the extent of this vulnerability on 7 as a workstation?

  13. Anonymous Coward
    Anonymous Coward

    with everyone's jobs getting mixed up.

    You mean you hadn't mandated Secure Printing ?

    We may be a tuppeny-happeny outfit compared to the enterprise boys, but this was a sine non qua for GDPR and personal data.

    How many people have had a crafty shufty at a printers "to be collected" pile ?

  14. oldcomputerguy

    Done way more than you think

    Wow, Microsoft needs to fix this ASAP. I hate to tell you guys this, but about every small business running a server does this. That server will be the DC, and the File and Print server. It will likely be an application server too. If they are lucky, they will have enough money for a second DC for redundancy. And BTW, GPO is set to allow users to install printers. Why they hell does a Domain admin need to add printers for each user? Scream, blame, laugh all you want. Most small businesses with Domains are running off one or two servers. There's no full time admin. That's it. No Mo' money .... Remember SBS?. It would do ALL roles including Exchange on one box. Just sayin' ...... And now they want us to just turn off print services? Oh, that will go over well ...... Not gonna happen. M$, where's the fix?

  15. keith_w Bronze badge
    Facepalm

    Print Drivers!

    "An unprivileged user uploading a new printer driver to the print server isn't an everyday occurrence and should raise suspicions.""

    It's not users installing print drivers on their local machines, it's regular (non-admin) users installing print drivers on domain controllers!

  16. Phil Kingston

    Today in class,

    "Server hardening 101"

  17. thondwe

    It's not just DCs

    CVE-2021-34527 affects all versions of windows - so "valuable" workstations are going to be a target too?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021