Beyond The Printer : Exploring PrintNightmare

Beyond The Printer Exploring Printnightmare March 2024

# WHOAMI Digital footprint @AidenPearce369 Red Team | Mal Dev
| App Sec Founder @TAMILCTF Security Engineer @ZOHO https://offsec.aidenpearce369.xyz

Print Spooler Runs As spoolsv.exe Native Windows Service Runs On
SYSTEM Privilege When OS Starts Enabled By Default On All Machines Buffers And Processes Print Jobs

Print Spooler Runs On Windows Print Client Shares Print Queue
To Print Server Manages Print Jobs Converts Print Data Into Specific Formats

Microsoft Point And Print Allows Windows User To Connect To
Any Printer Remotely No Installation Media Required Required Configuration Are Retrieved From Printer Server Allows Clients To Install Drivers On Print Servers, Even Without Admin Privileges Point And Print Documentation

Microsoft Point And Print When using package point and print,
client computers will check the driver signature of all drivers that are downloaded from print servers If The Point And Print Is Misconfigured In A Patched/Up To Date OS, PrintNightmare May Come To Haunt You ! MPP Can Also Be Abused By ‘Bring Your Own (Vulnerable) Driver’ https://github.com/jacob-baines/concealed_position

Package Aware v/s Non Package Aware A package-aware driver ensures
that all of the driver components in your package are configured for use during a point-and-print operation. Point and print enables a Windows user to create a connection to a remote printer without providing disks or other installation media. Point And Print Documentation

Package Aware v/s Non Package Aware Non-package aware drivers, on
the other hand, may need to be manually installed or configured by the user. This could involve downloading the driver from the manufacturer's website, compiling it from source code, or executing an installation script provided by the manufacturer. Point And Print Documentation

Birth Of PrintNightmare

CORONA PANDEMIC Print Nightmare IT ADMINS

Print Nightmare Privilege Escalation To SYSTEM By Abusing SPOOLSV.EXE Leverages
Functionality To Add Printer Drivers Normal Domain Users Can Add Drivers Into Any Machine ( ABUSE ) No Proper Privilege Validation Is Performed ( SPOILER ) Instant EoP (Elevation Of Privilege) Payload Can Be Easily Loaded As DLL File (Locally/Remote SMB) Caveat: DLL Lands On Disk, Workaround For AV Evasion

CVE-2021-1675 Local Privilege Escalation ( LPE ) Attacker Need To
Be Domain User Authenticated On The Machine Attacker Tries To Add Printer Driver Via AddPrinterDriverEx( ) Loads A Malicious DLL For Printer Drivers Runs DLL In SYSTEM Context

CVE-2021-1675 pDriverInfo And dWFileCopyFlags Are User Controllable https://learn.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex

CVE-2021-1675 Attacker Adds Printer Driver Locally AddPrinterDriverEx( ) Is Called
pDriverInfo And dWFileCopyFlags Are User Controllable dWFileCopyFlags Is Set To APD_COPY_ALL_FILES, For Controlling DLL Into The Printer Driver Path

CVE-2021-1675 pDriverPath And pDataFile Are Properly Validated To Not Be
An UNC Path But pConfigFile Is Not Validated And Can Be An UNC Path pConfigFile Becomes Controllable, And Can Be Used To Load Arbitrary DLL Files (Local/Network)

CVE-2021-1675 spoolsv.exe AddPrinterDriverEx( ) localspl.dll Privilege Check Bypass SeLoadDriverPrivilege SYSTEM
Context Privilege Escalation

CVE-2021-1675 dWFileCopyFlags 15th Bit Is Checked For Equal To 1
Privilege Check Bypass To Load SeLoadDriverPrivilege Privilege Eleveation Happens Tries To Install Driver With Malicious DLL Code Execution Happens With SYSTEM Context

CVE-2021-34527 Remote Privilege Escalation Attacker Just Needs A Compromised Domain
Credential MS-RPRN Protocol ( Print System Remote Protocol ) Attacker Leverages RpcAddPrinterDriverEx( ) RPC Call Same Execution As CVE-2021-1675

CVE-2021-34527 Further Found, PrintNightmare Via RpcAsyncAddPrinterDriver( ) In MS-PAR (
Print System Asynchronous Remote Protocol ) Also Found In MS-PAN ( Print System Asynchronous Notification Protocol )

CVE-2021-34527 pDriverContainer And dWFileCopyFlags Are User Controllable https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/

Root Cause

Demo Time !!

APT Groups On Hunt!!

Compromised Credentials Enroll New Device In Duo Russian State Sponsored
APT https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a Password Spraying Access Internal Network Land As Low-Priv User PrintNightmare Exploit - Priv Esc Domain Controller Compromise

Other Notable APT Attacks Vice Soceity Ransomware Magniber Ransomware These
2 Ransomware Groups Employed PrintNightmare For Privilege Escalation (Local/Domain) https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html

Detections Monitor Malicious Attempts To Call AddPrinterDriverEx( ) And RpcAddPrinterDriverEx(
) Call Over TCP/SMB Event Id 808 - The print spooler failed to load a plug-in module Event Id 316 - New Print Driver Is Added/Updated

Mitigations First And Best Mitigation, Disable Your Print Spooler Service
If Not Required Apply Official Microsoft Patches (KB5005010) And Keep The Operating System Up To Date (Enforce Via GPO)

Mitigations Point And Print Registry Config HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window s NT\Printers\PointAndPrint RestrictDriverInstallationToAdministrators
= 1 NoWarningNoElevationOnInstall = 0 UpdatePromptSettings = 0

Thank You

Beyond The Printer : Exploring PrintNightmare

Beyond The Printer : Exploring PrintNightmare

More Decks by Monish Kumar

Other Decks in Technology

Featured

Transcript