CVE-2022-21999 Windows Print Spooler(打印服务)特权提升漏洞

一、Print Spooler 简介

Print Spooler是打印后台处理服务，即管理所有本地和网络打印队列及控制所有打印工作。如果此服务被停用，本地计算机上的打印将不可用。如果此服务被禁用，任何依赖于它的服务将无法启用，被⼴泛应用于本地和内网中！

二、漏洞简介

2021年6⽉29⽇，安全研究⼈员在GitHub上公开了CVE-2021-1675 Windows Print Spooler远程代码执⾏漏洞的PoC。该漏洞是Microsoft 6⽉星期⼆补丁⽇中公开的⼀个RCE漏洞，其存在于管理打印过程的Print Spooler (spoolsv.exe) 服务中，会影响所有 Windows系统版本。

2022年2⽉8⽇，Windows Print Spooler（CVE-2022-2199）提权漏洞再次爆出，该漏洞是 PrintNightmare 的续集！Windows系统默认开启 Print Spooler 服务，普通⽤户可以利⽤此漏洞提升⾄管理员权限。

三、影响版本

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core

installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core

installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core

installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows 10 Version 21H2 for x64-based Systems

Windows 10 Version 21H2 for ARM64-based Systems

Windows 10 Version 21H2 for 32-bit Systems

Windows 11 for ARM64-based Systems

Windows 11 for x64-based Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server 2022 Azure Edition Core Hotpatch

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

四、本地复现

测试环境

该版本在漏洞影响范围内，下面开始提权

脚本下载地址：https://github.com/ly4k/SpoolFool

使用该脚本进⾏提权时，会默认添加 admin ⽤户、密码：Passw0rd!

出现 DLL should be loaded 则表示成功！

查看是否添加成功获得 administrator权限

提权成功！此时用户admin以是管理员权限。

执⾏漏洞利⽤后，将留下以下内容以供以后清理

五、漏洞修复

临时修复方法 (针对某些业务无法及时更新补丁的情况可采取如下方法)

(1)禁用后台打印处理服务

win+R 输⼊：services.msc 打开服务界⾯

找到Print Splooler服务，双击该服务，将其服务停止，服务启动类型选择为禁用即可。

(2)微软官方已针对支持的系统版本发布了修复该漏洞的安全补丁，建议受影响用户尽快安装补丁

进行防护。

点击此处：https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999