Hi guys, have you ever heard about CVE?
In short, CVE stands for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. Today, I will show you some interesting stuffs related to recently vulnerabilities that Microsoft has declared. CVE-2021-1675&CVE-2021-34527 both known as PrintNightmare, which described as a vulnerability existed in Microsoft Windows, especially in Windows Print Spooler service. Let's dig into it. :)
I. Introduce
The Print Nightmare vulnerability is a "critical" exploit that affects the Windows print queue and was discovered in Windows 7. This vulnerability allows attackers to execute remote code on our devices and take control of them.
At the end of June, two different research teams published information about CVE-2021-1675, a remote code execution (RCE) vulnerability in the Windows Print Spooler. The name that has been named PrintNightmare is being used to refer to the PoC and vulnerability interchangeably across several sources, though it remains unclear currently if this moniker was intended for the newly released patch bypass, additional Print Spooler vulnerabilities which sources claim exist or CVE-2021-1675.
On July 1, Microsoft released an advisory for CVE-2021-34527, which the advisory acknowledges as the vulnerability known as PrintNightmare. Though the advisory does not offer much detail, Microsoft does note that this new CVE is a distinct and separate issue from the flaw addressed by CVE-2021-1675.
When it was originally disclosed in the June Patch Tuesday update, it was described as a low severity elevation of privilege vulnerability. That designation was updated on June 21 to indicate a critical severity and the potential for RCE. Discovery was credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE and Yunhai Zhang of NSFOCUS TIANJI Lab.
Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. With authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain.
CVE-2021-34527, announced on July 1, is also an RCE vulnerability within the Windows Print Spooler service. Successful exploitation of the vulnerability would allow attackers the ability to execute arbitrary code with SYSTEM privileges, though still requires an authenticated user account as with CVE-2021-1675.
II. Prerequisite Knowledge
1. Windows Print Spooler
- Print Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, and so on. Print Spooler service runs inside a process called spoolsv.exe. This is a system service that's typically launched at boot time, and it manages all the other components.
From a security perspective, the Windows Print Spooler, and printers in general, have been a juicy target for exploitation by attackers for many years. The 2010 Stuxnet worm used against Iranian nuclear facilities exploited a vulnerability in the service to escalate privileges and propagate malware across the network. The same Print Spooler vulnerability re-surfaced in 2020 when researchers uncovered new ways to exploit it.
- PrintNightmare is a vulnerability in the PrintSpooler service, which allows an attacker to excute code remotely (RCE) and also allows an attacker to leverage privileges locally. CVE-2021-1675 is a local privilege escalation vulnerability and CVE-2021-34527 is a RCE vulnerability and is a lot more critical than the previous one.
for further information
http://unixwiz.net/temptips/windows-printsystem.html
2. Key Flaws
- Researchers found that the PrintSpooler service had an authorization bypass bug, due to which anyone could install Printer drivers using the Remote Procedure Call (RPC) function knowns as RpcAddPrinterDriverEx(). An attacker can take advantage of this function by specifying a driver file on a remote server which leads the Print Spooler (spoolsv.exe) to excute code in arbitrary DLL to gain SYSTEM privilege.
III. Demo Step-by-Step
- Victim: Windows Server 2016 ( Promoted to Domain Controller), 1 account low-privilege
Không có nhận xét nào:
Đăng nhận xét