Skip to the main content.
TRY NOW
TRY NOW

2 min read

Print Nightmare Exploit Scanner & Workaround (CVE-2021-34527)

Picture of Emre Tınaztepe Emre Tınaztepe : Sep 10, 2021 8:31:32 AM

Binalyze DRONE Incident Response
Featured Image
Update 2: 14th July 2021

Microsoft recently released a patch for this vulnerability. Please get more information using the link below:

 
Update: 1st July 2021, 1.03am

We have released a FREE version of DRONE that scans the machine against indicators of the Print Nightmare exploit (CVE-2021-34527and applies a workaround of stopping Spool Service so that even if the machine is unexploited now, future attempts of exploitation would be prevented until Microsoft releases a patch for this vulnerability.

Steps to use DRONE for Print Nightmare scanning and remediation:

  1. Download DRONE 1.4.0 from here

  2. Run it with the command-line DRONE.exe -a pnm -n 

Note: If you have Chrome installed on the machine, you can also run DRONE in Tower mode in the browser by simply double clicking the executable and enabling the CVE scanner and Event Records Analyzer (See Image 2 below). Optionally, you can enable all analyzers (auto-pilot mode) to have an automated compromise assessment in parallel.

If you want to monitor exploited machines via your SIEM, you can enable Syslog option for forwarding the findings to your SIEM (–syslog). Refer to help drone.exe /h for more information. 

print-nightmare-exploit-scanner
Image 1: Scanning in Command Line
print-nightmare-exploit-scanner
Image 2: Scanning in Tower Mode
print-nightmare-exploit-scanner
Image 3: Scan Results

 

Does DRONE apply the workaround?

Yes. Once the analysis completes, DRONE will automatically stop the Spool Service and disable the auto-start setting of the Spool Service as a temporary workaround until Microsoft releases a patch.

How will I re-enable the Spool Service? (do not perform this action until a security patch is available) 

From the command line, issue the following commands to reenable the Spool Service:

Original Post

Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems. The vulnerability impacts Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows OS, applications, and local or networked printers, allowing app developers to easily initiate print jobs.

The service has been included in Windows since the 90s and is one of the operating system’s most buggy processes, with many vulnerabilities being discovered across the years, including bugs such as PrintDemonFaxHellEvil PrinterCVE-2020-1337, and even some of the zero-days used in the Stuxnet attacks. CVE-2021-1675, the latest in this long line of Print Spooler bugs, and was initially discovered by security researchers from Tencent Security, AFINE, and NSFOCUS earlier this year.

 
Try DRONE for FREE as part of the Binalyze AIR Free Trial. Just fill out the form below.

 
macos forensics

Binalyze AIR Product Release 2.7.0

We are excited to announce the release and general availability of Binalyze AIR 2.7.0

Read More
digital-forensics

Why It Is Time To Rethink How You Are Using Digital Forensics

Digital Forensics is a vital part of a mature cybersecurity stack but the field of digital forensics is more than 40 years old, and so are the...

Read More
binalyze-cooperation-eu

Join us at the virtual roundtable carried out by GLACY+ Project in cooperation with APWG.EU

We are living in an era, where the volume and sophistication of cyberattacks have increased as a result of overflowing data and increased attack...

Read More