🥶 Review of PrintNightmare CVE‑2021‑34527
Salute,
Today we’ll look at PrintNightmare, which I wrote about in the last post - this is a classic example of how a service on Windows turns into an entry point for RCE and a platform for the deliberate atrocities of Vice Society and Magniber. This post will help you piece together the logic behind the latest Metro4Shell vulnerability.
Sangfor researchers posted a technical breakdown of CVE-2021-1675 and PoC on GitHub, which quickly evolved into a separate identifier CVE-2021-34527, and was also associated with CVE-2021-36958 and CVE-2021-1678.
PrintNightmare, thanks to the printing service, makes it possible to execute arbitrary code, and LPE (Local Privilege Escalation, in Russian - increased privileges) - seize SYSTEM level rights to control Active Directory.
This is exactly the bug that created a hole in the spoolsv.exe print queue, since Print Spooler is enabled by default on almost all WinOS machines, including the domain controller. The vulnerability lies in the RPC call RpcAddPrinterDriver/ RpcAddPrinterDriverEx, which allows an authenticated user to load a print driver from an arbitrary path. Next, the driver, which is a malicious DLL, is copied to the system directory of printer drivers and executed with SYSTEM rights in the context of spoolsv.exe. The result is RCE, LPE.
Operation:
• The client calls RpcAddPrinterDriver/ RpcAddPrinterDriverEx on the remote print server
• pDataFile is specified as the path to the driver on the SMB share, where instead of the driver there is a malicious DLL
• Print Spooler copies the DLL to C:\Windows\System32\spool\drivers\… and loads it with SYSTEM rights as part of the printing infrastructure
What does it give to the attacker?
• Full control over the wheelbarrow
• Create new accounts with full rights
• Collection and theft of credentials
• LSASS dump
• Installing DLL, INI on other cars
• Distribution of malicious drivers over the network
Cases
• Magniber uses PrintNightmare for LPE: a malicious DLL is loaded into the process, unpacks the crypto code, encrypts files and deletes backups
• Vice Society exploits PrintNightmare: uses proxychains, impacket for lateral movement, deliberately attacks backup copies, implements ESXi degradation, and steals credits
Risk Reduction Measures
• Disable the Print Spooler service on all systems where printing is not needed, or
— Disable incoming remote printing via local/group policies
— Prohibit drivers and printers installed by users without admin rights
• Strengthening authentication on the printer RPC interface for IRemoteWinspool and reducing the risk of relay and spoofing attacks (CVE-2021-1678):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print]
"RpcAuthnLevelPrivacyEnabled"=dword:00000001
• Prohibit installation of drivers without administrator rights (subject to Segregation of Duties)
• Enable UAC notifications and prompts when installing new drivers
• Limit the list of trusted print servers and driver sources
• Do not use domain controllers as universal print servers and install Spooler separately
• Monitor spoolsv.exe calls, unusual operations with RpcAddPrinterDriverEx, the appearance of new DLLs in the printer driver directory, impacket/proxychains activity, atypical connections to ESXi and backup servers
• Install all out-of-order Microsoft updates related to CVE-2021-34527 / CVE-2021-1675 / CVE-2021-36958 / CVE-2021-1678.
Overall: you understand what the RCE passage looks like and what risks it carries, what and how it works. You will also be able, by analogy with these examples, to understand how new types and types of attacks are implemented, and we will still be waiting for the next Thursday updates from our favorite OS vendor 🤔
Footnote
LSASS is a service that is responsible for authenticating users, applying local and domain security policies and issuing access tokens, in the memory of which password hashes, tickets and other sensitive credentials are stored.
#research #riskanalysis #appsec #specialty #pmcases #term