Researcher Name: Yunhai Zhang of NSFOCUS TIANJI LAB, Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE
Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
CVE: CVE-2021-1675
Misclassified by Microsoft as an LPE, this bug fits right in as a nominee for Best Privilege Escalation. Some people might say all bugs are just undocumented functionality, but this one, in particular, had a handy undocumented magic flag to skip all security checks and load an arbitrary DLL in the Print Spooler service process. Very handy. Especially when you can trigger this as any domain user to achieve arbitrary code execution as SYSTEM on the domain controller. L –> R