POC详情: 8a65f91304c654c36d24ff8f747a6aa859059852

来源
关联漏洞
标题: Microsoft Windows Print Spooler Components 安全漏洞 (CVE-2021-34527)
描述:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components 存在安全漏洞,攻击者可以通过该漏洞绕过PfcAddPrinterDriver的安全验证,并在打印服务器中安装恶意的驱动程序。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1
描述
Small Powershell Script to detect Running Printer Spoolers on Domain Controller
介绍
# CVE-2021-1675 / CVE-2021-34527

Two mini Script to check if the PrintSpooler Serivce is running within the Forest.

CVE-2021-1675:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675

CVE-2021-34527 aka PrintNightmare

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

## Scripts

Detect running Printer Spooler Service on DCs:

https://github.com/DenizSe/CVE-2021-1675/blob/main/Get-PrinterSpoolerState.ps1

Detect running Printer Spooler Service on Machines within OU:

https://github.com/DenizSe/CVE-2021-1675/blob/main/Get-PrinterSpoolerStateOU.ps1

# Official Guidance (Taken from CVE-2021-34527

## Workarounds
Determine if the Print Spooler service is running (run as a Domain Admin)

Run the following as a Domain Admin:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

### Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

### Option 2 - Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

For more information see: Use Group Policy settings to control printers.
文件快照

[4.0K] /data/pocs/8a65f91304c654c36d24ff8f747a6aa859059852 ├── [ 11K] Get-PrinterSpoolerStateOU.ps1 ├── [ 12K] Get-PrinterSpoolerState.ps1 └── [2.0K] README.md 0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。