Loading...

The PrintNightmare

Created2025-05-29|Updated2025-07-15|articles

|Post Views:

Definition

PrintNightmare is an attack exploiting a vulnerability in the Windows print spooler which allows a simple user to execute remote commands with administrator privileges. The term PrintNightmare actually refers to two vulnerabilities exploiting the print spooler. One allows privilege escalation and the other allows remote code execution. In this article, we’ll focus solely on the latter.

On June 7, 2021, Microsoft released its latest security patch for this vulnerability, which allows only machine administrators to modify printer drivers.

How it works

When a printer driver is updated via RPC, two functions are called: RPCAddPrinterDriverEx and RPCAsyncAddPrinterDriver, exploited by CVE-2021-1675 and 34527 respectively.

pDriverPath: The path of the new printer driver
pConfigFile : The path to the printer driver procedures module
pDataFile: Path to printer driver data

This vulnerability arises because Windows does not check that all user-specified paths are local paths before saving files in the printer driver folder.

This allows an attacker to supply a malicious DLL file via pDataFile. Thus, when another call to RPCAddPrintDriver is made, the attacker can point pConfigFile to the path where the malicious file was saved, enabling code execution.

Exploitation

https://github.com/cube0x0/CVE-2021-1675

https://github.com/ly4k/PrintNightmare

Attacks Printer Spooler

Related Articles

What is PrinterBug?PrinterBug is the name given to a technique for abusing the Microsoft Remote Procedure Call Print System Remote Protocol (MS-RPRN). This method enables an attacker with a simple user account to force a Windows computer (often a domain controller) with the print spooler enabled, to authenticate to a machine controlled by the attacker.The aim is to exploit this authentication to carry out an NTLM Relay attack. Why does this vulnerability exist?In a Windwos environment, the MS...

DefinitionThe NTLM protocol is an old authentication protocol used by Windows machines to authenticate at domain or network level. It’s a Challenge / Response protocol, so it lets you authenticate to a server without the password ever passing over the network. This protocol is widely used by companies in conjunction with the Kereberos protocol. Only companies with a good cyber maturity no longer use it, as it’s not easy to do without. How it worksWhen a client wants to authenticate to a ...

Pass The Ticket Attack

This article will be a walkthrough of the ine lab concerning this attack. PowerviewPowerview is a PowerShell tool for reconnaissance in Windows domains. It contains a set of Powershell commands that replace the classic Windows commands of the net * type. We start the lab by opening a powershell command prompt and enabling script execution: Next, we can find the domain machines on which the current user is administrator: You can then launch a powershell session with one of these machines: HF...

Loading Database