[Learning] PrintNightmare CVE-2021-1675&CVE-2021-34527

Hi guys, have you ever heard about CVE? 

In short, CVE stands for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. Today, I will show you some interesting stuffs related to recently vulnerabilities that Microsoft has declared. CVE-2021-1675&CVE-2021-34527 both known as PrintNightmare, which described as a vulnerability existed in Microsoft Windows, especially in Windows Print Spooler service. Let's dig into it. :) 

I. Introduce

The Print Nightmare vulnerability is a "critical" exploit that affects the Windows print queue and was discovered in Windows 7. This vulnerability allows attackers to execute remote code on our devices and take control of them.

At the end of June, two different research teams published information about CVE-2021-1675, a remote code execution (RCE) vulnerability in the Windows Print Spooler. The name that has been named PrintNightmare is being used to refer to the PoC and vulnerability interchangeably across several sources, though it remains unclear currently if this moniker was intended for the newly released patch bypass, additional Print Spooler vulnerabilities which sources claim exist or CVE-2021-1675.

On July 1, Microsoft released an advisory for CVE-2021-34527, which the advisory acknowledges as the vulnerability known as PrintNightmare. Though the advisory does not offer much detail, Microsoft does note that this new CVE is a distinct and separate issue from the flaw addressed by CVE-2021-1675.

When it was originally disclosed in the June Patch Tuesday update, it was described as a low severity elevation of privilege vulnerability. That designation was updated on June 21 to indicate a critical severity and the potential for RCE. Discovery was credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab.

Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. With authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.

CVE-2021-34527, announced on July 1, is also an RCE vulnerability within the Windows Print Spooler service. Successful exploitation of the vulnerability would allow attackers the ability to execute arbitrary code with SYSTEM privileges, though still requires an authenticated user account as with CVE-2021-1675.

II. Prerequisite Knowledge

1. Windows Print Spooler

- Print Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, and so on. Print Spooler service runs inside a process called spoolsv.exe. This is a system service that's typically launched at boot time, and it manages all the other components.

From a security perspective, the Windows Print Spooler, and printers in general, have been a juicy target for exploitation by attackers for many years. The 2010 Stuxnet worm used against Iranian nuclear facilities exploited a vulnerability in the service to escalate privileges and propagate malware across the network. The same Print Spooler vulnerability re-surfaced in 2020 when researchers uncovered new ways to exploit it. 

- PrintNightmare is a vulnerability in the PrintSpooler service, which allows an attacker to excute code remotely (RCE) and also allows an attacker to leverage privileges locally. CVE-2021-1675 is a local privilege escalation vulnerability and CVE-2021-34527 is a RCE vulnerability and is a lot more critical than the previous one. 

for further information 

http://unixwiz.net/temptips/windows-printsystem.html

2. Key Flaws

- Researchers found that the PrintSpooler service had an authorization bypass bug, due to which anyone could install Printer drivers using the Remote Procedure Call (RPC) function knowns as RpcAddPrinterDriverEx(). An attacker can take advantage of this function by specifying a driver file on a remote server which leads the Print Spooler (spoolsv.exe) to excute code in arbitrary DLL to gain SYSTEM privilege.

-  When a client wants to add a new printer driver on a remote system it can use the function RpcAddPrinterDriverEx. The privilege that the client needs is SeLoadDriverPrivilege which is enabled by default to the Administrators group.

The vulnerable function allows the attacker to skip that privilege check and load any printer driver it desires without the required permissions which leads to remote code execution with escalated privileges.

- We can divide the attack method into two parts: copying the malicious DLL from the attacker machine file share into the target machine local filesystem and loading the malicious DLL into spoolsv.exe.

    The first part is done by calling RpcAddPrinterDriverEx with the malicious DLL as the data file. This will cause the file to be copied into %SPOOLER%\drivers\x64\old\<version_number>\malicious.dll once we call RpcAddPrinterDriverEx again with updated values.

    The second call to RpcAddPrinterDriverEx will set the config file to be %SPOOLER%\drivers\x64\old\<version_number>\malicious.dll. This is a local path and now it will be loaded into the spoolsv.exe process.

III. Demo Step-by-Step

- Victim: Windows Server 2016 ( Promoted to Domain Controller), 1 account low-privilege

- Attacker: Ubuntu 18.04 

+ Clone https://github.com/cube0x0/CVE-2021-1675

+ Install Impacket from https://github.com/cube0x0/impacket

+ Install Smb server - config Smb server to allow guest logon

+ Install Metasploit Framework

- Scan target to find rpc endpoint could be vulnerable 

- Create Smb server, config as below

- Create a "printer driver" DLL file, this is a maliciout file contains reverse shell. Put this file onto the shared path of Smb server ( /tmp )

- Create a handler or listener with metasploit

- Run the exploit script (user:Baotest1 is low-privilege user in Domain Controller baonguyen.local, Attacker IP 192.168.14.156, Victim IP 192.168.14.160)

Exeption might be thrown, but we got a shell with system privilege

Video Demo CVE-2021-34527

https://youtu.be/SStY7vcKghY

Happy Learning!