During the June Patch Tuesday, Microsoft released a patch for a vulnerability in the Print Spooler service. The vulnerability would allow an attacker or malicious insider with valid credentials for a non-privileged user account and network access to a vulnerable Windows server to escalate to the privileges of an Administrator or Domain Administrator. The vulnerability was assigned CVE-2021-1675. On June 30th, at least two exploit proofs-of-concept were circulating in the public that effectively exploited the vulnerability against fully patched Windows Server 2019 systems. The exploits demonstrate delivering a DLL payload via SMB connections to a Domain Controller which adds a new user account and then puts the new account to the Administrators group. Some tests have shown the attack working against Windows Server 2016 as well. The attack works more consistently against Domain Controllers.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is