itm4n/PrivescCheck

Add printnightmare LPE vulnerable configurations

Acebond opened this issue · 18 comments

In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://twitter.com/gentilkiwi/status/1412771368534528001
https://github.com/tothi/CVE-2021-1675

If Point and Print is enabled, the PrintNightmare patch can be completely bypassed, and PrintNightmare works for RCE and LPE. If NoWarningNoElevationOnInstall (and I assume NoWarningNoElevationOnUpdate) are enabled, the patch can be bypassed for LPE. Microsoft has stated that these vulnerable configurations are not something that will be patched.

I think if would be good to add these registry keys to PrivescCheck to check if the system is vulnerable to privilege escalation using PrintNightmare.

itm4n commented

Thanks for the suggestion, that's a good idea. :)
Writing the check shouldn't take long but testing will be another story. :/

mpgn commented

To make it vulnerable:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 1 (DWORD)
UpdatePromptSettings = 1 (DWORD)

Restart the spooler service

itm4n commented

Hi @mpgn ! 🙂

I know you followed the "PrintNightmare case" more closely than I did. 😉
If I understand correctly, a fully patched Windows machine should no longer be vulnerable to the RCE. However it might be vulnerable to the LPE if PointAndPrint is enabled without elevation.

So, first question, do you know if the two registry values need to be set to 1 simultaneously for the machine to be vulnerable or only one of them is enough?

Second question, what is the most reliable PoC at the moment to test this scenario locally?

Thanks for your help.

itm4n commented

The answers I'm looking for seem to be in this thread: https://twitter.com/gentilkiwi/status/1416429860566847490 😛

...and this flow chart: https://twitter.com/wdormann/status/1413210835326054402/photo/1

mpgn commented

So, to be quick, even if you are patched, if you have point and print you are vulnerable to RCE and LPE unless you have a registy key set that "Disable inbound remote printing through" to prevent RCE (I don't have the name right now)

For the LPE, there no fix currently, it's just pure 0day in the wild ;) (unless you set this GPO 'Package Point and print - Approved servers' but I don't have the name of the registry key)

As for the flow chart, unfortunately, I don't recommand to follow it. Lots of wrong information that mislead people thinking they are secure, but maybe this is not the most up to date one ;)

itm4n commented

I'm making some progress. I traced back a part of the whole story. So...

I have a fully up-to-date Windows 10 Pro virtual machine. In this case, Mimikatz' PoC fails, which is the expected result.

misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{2c937332-3e8d-4aee-827b-6fe5c213acc5}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: ERROR kuhl_m_misc_printnightmare_AddPrinterDriver ; 5

Then, I set NoWarningNoElevationOnInstall to 1 and restarted the spooler.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnInstall /d 1 /t reg_dword
net stop spooler
net start spooler

I ran the PoC once again, and this time, the PoC worked.

mimikatz # misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{ca42c0d6-e593-4ddc-ad35-289a456a90ff}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: OK!

The other registry value - UpdatePromptSettings - is probably here to kill another attack vector, which I'm not aware of at the moment. Perhaps there is another PoC out there that leverages this one.

So, based on these results, I can already write a very simple (and naïve) check.

However, I also tested the attack vector described by @gentilkiwi in this tweet: https://twitter.com/gentilkiwi/status/1416429860566847490
This one works by default on a fully up-to-date machine by design. As highlighted by Benjamin, the only way for preventing this attack at the moment is by enforcing the Package Point and print - Approved servers policy and specifying a list of trusted print servers.
I still need to figure out how I should handle this case.

mpgn commented

For the LPE, Check if the GPO 'Package Point and print - Approved servers' is set, there is surely a registry key linked to this and the list of approved servers is set. Then if set, no LPE

Otherwise if you don't have this gpo set, it's LPE by design on windows, there is not so much check to do.

itm4n commented

Yes, I know. I followed Benjamin's recommendations.
So I configured the "Package Point and print - Approved servers" policy.
This one blocks the most recent exploit (which can still be considered as a 0-day at the moment like you said).

mpgn commented

I still think the check for at least the RCE is useful ;)

itm4n commented

J'ai écouté l'épisode de NoLimitSecu sur PrintNightmare: https://www.nolimitsecu.fr/printnightmare/
Benjamin disait que le paramètre NoWarningNoElevationOnInstall était souvent activé dans les environnements d'entreprise.
Donc ce test là m'a l'air tout à fait pertinent, d'autant plus que j'ai pu le valider dans mon lab.

itm4n commented

So... here is what I came up with:

+------+------------------------------------------------+------+
| TEST | CONFIG > PrintNightmare exploit                | VULN |
+------+------------------------------------------------+------+
| DESC | Checks whether the Print Spooler service is enabled   |
|      | and if the Point and Print configuration allows       |
|      | low-privileged users to install printer drivers (even |
|      | on a fully up-to-date machine).                       |
+------+-------------------------------------------------------+
[*] Found 2 result(s).


Path  : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : NoWarningNoElevationOnInstall
Data  : 1

Path  : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : RestrictDriverInstallationToAdministrators
Data  : 0

In the end, I also had to check the value of RestrictDriverInstallationToAdministrators based on the information provided in this KB.

When the patch for CVE-2021-34527 is installed, the RestrictDriverInstallationToAdministrators setting can be set to 1 to override the two other registry values. In this case, only administrators can install print drivers.

Once again, this does not take into account the latest exploit technique described by @gentilkiwi, which bypasses any patch or setting.

mpgn commented

good :)

mpgn commented

Okay, so by design there is an LPE on all windows as demonstrated by benjamin.
Nevertheless, there is a mitigation https://twitter.com/gentilkiwi/status/1425875881680068608?s=20

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1

If the following registry keys are set, no more LPE ! Maybe worth to check it because now the script tells you if you have patched your system only, but not if you are secure and not vulnerable to this LPE.

I suggest you check out the "Driver" machine on htb, this check should have been accurate but for some reason it wasnt.

itm4n commented

Hmm, sure, can you provide more details please? (I really don't have time to spare on HTB at the moment)
What is the configuration of the machine?
The output of the command reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" would definitely help.

That's the weird part - it just doesnt exist....i ran these same commands from user and admin space, same results

`
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
`

This is what worked:
https://github.com/calebstewart/CVE-2021-1675

itm4n commented

That's not weird. The most likely explanation is that the security patches for PrintNightmare were simply not installed.
As a reminder, the aim of this check is to verify whether a fully up-to-date machine has a vulnerable "Point and Print" configuration that would allow low-priv users to install print drivers.

Maybe I should rename it from "PrintNightmare exploit" to something like "Point and Print configuration" to avoid the confusion.

itm4n commented

Some news about this "feature request":

  • I removed the term PrintNightmare from the title of this check to avoid confusion. It's now simply called Point and Print which is actually more accurate.
  • I finally added a test for the registry values PackagePointAndPrintOnly and PackagePointAndPrintServerList. Better late than never...
  • If PackagePointAndPrintServerList is set to 1, I don't check the content of the ListofServers registry key though. I simply added a mention about it in the description so that people can check it manually.
  • About the description field... I added a description to each tested value to make it easier to understand the output, i.e. why this setting is reporting as vulnerable?.

I think that's it. I'm finally done with this one. Special thanks to @Acebond and @mpgn . 🎉