Add printnightmare LPE vulnerable configurations about privesccheck HOT 18 CLOSED

So... here is what I came up with:

+------+------------------------------------------------+------+
| TEST | CONFIG > PrintNightmare exploit                | VULN |
+------+------------------------------------------------+------+
| DESC | Checks whether the Print Spooler service is enabled   |
|      | and if the Point and Print configuration allows       |
|      | low-privileged users to install printer drivers (even |
|      | on a fully up-to-date machine).                       |
+------+-------------------------------------------------------+
[*] Found 2 result(s).


Path  : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : NoWarningNoElevationOnInstall
Data  : 1

Path  : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : RestrictDriverInstallationToAdministrators
Data  : 0

In the end, I also had to check the value of RestrictDriverInstallationToAdministrators based on the information provided in this KB.

When the patch for CVE-2021-34527 is installed, the RestrictDriverInstallationToAdministrators setting can be set to 1 to override the two other registry values. In this case, only administrators can install print drivers.

Once again, this does not take into account the latest exploit technique described by @gentilkiwi, which bypasses any patch or setting.

from privesccheck.

Yes, I know. I followed Benjamin's recommendations.
So I configured the "Package Point and print - Approved servers" policy.
This one blocks the most recent exploit (which can still be considered as a 0-day at the moment like you said).

from privesccheck.

J'ai écouté l'épisode de NoLimitSecu sur PrintNightmare: https://www.nolimitsecu.fr/printnightmare/
Benjamin disait que le paramètre NoWarningNoElevationOnInstall était souvent activé dans les environnements d'entreprise.
Donc ce test là m'a l'air tout à fait pertinent, d'autant plus que j'ai pu le valider dans mon lab.

from privesccheck.

Okay, so by design there is an LPE on all windows as demonstrated by benjamin.
Nevertheless, there is a mitigation https://twitter.com/gentilkiwi/status/1425875881680068608?s=20

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1

If the following registry keys are set, no more LPE ! Maybe worth to check it because now the script tells you if you have patched your system only, but not if you are secure and not vulnerable to this LPE.

from privesccheck.

Some news about this "feature request":

• I removed the term PrintNightmare from the title of this check to avoid confusion. It's now simply called Point and Print which is actually more accurate.
• I finally added a test for the registry values PackagePointAndPrintOnly and PackagePointAndPrintServerList. Better late than never...
• If PackagePointAndPrintServerList is set to 1, I don't check the content of the ListofServers registry key though. I simply added a mention about it in the description so that people can check it manually.
• About the description field... I added a description to each tested value to make it easier to understand the output, i.e. why this setting is reporting as vulnerable?.

I think that's it. I'm finally done with this one. Special thanks to @Acebond and @mpgn . 🎉

from privesccheck.

Thanks for the suggestion, that's a good idea. :)
Writing the check shouldn't take long but testing will be another story. :/

from privesccheck.

To make it vulnerable:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 1 (DWORD)
UpdatePromptSettings = 1 (DWORD)

Restart the spooler service

from privesccheck.

Hi @mpgn ! 🙂

I know you followed the "PrintNightmare case" more closely than I did. 😉
If I understand correctly, a fully patched Windows machine should no longer be vulnerable to the RCE. However it might be vulnerable to the LPE if PointAndPrint is enabled without elevation.

So, first question, do you know if the two registry values need to be set to 1 simultaneously for the machine to be vulnerable or only one of them is enough?

Second question, what is the most reliable PoC at the moment to test this scenario locally?

Thanks for your help.

from privesccheck.

The answers I'm looking for seem to be in this thread: https://twitter.com/gentilkiwi/status/1416429860566847490 😛

...and this flow chart: https://twitter.com/wdormann/status/1413210835326054402/photo/1

from privesccheck.

So, to be quick, even if you are patched, if you have point and print you are vulnerable to RCE and LPE unless you have a registy key set that "Disable inbound remote printing through" to prevent RCE (I don't have the name right now)

For the LPE, there no fix currently, it's just pure 0day in the wild ;) (unless you set this GPO 'Package Point and print - Approved servers' but I don't have the name of the registry key)

As for the flow chart, unfortunately, I don't recommand to follow it. Lots of wrong information that mislead people thinking they are secure, but maybe this is not the most up to date one ;)

from privesccheck.

I'm making some progress. I traced back a part of the whole story. So...

I have a fully up-to-date Windows 10 Pro virtual machine. In this case, Mimikatz' PoC fails, which is the expected result.

misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{2c937332-3e8d-4aee-827b-6fe5c213acc5}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: ERROR kuhl_m_misc_printnightmare_AddPrinterDriver ; 5

Then, I set NoWarningNoElevationOnInstall to 1 and restarted the spooler.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnInstall /d 1 /t reg_dword
net stop spooler
net start spooler

I ran the PoC once again, and this time, the PoC worked.

mimikatz # misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{ca42c0d6-e593-4ddc-ad35-289a456a90ff}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: OK!

The other registry value - UpdatePromptSettings - is probably here to kill another attack vector, which I'm not aware of at the moment. Perhaps there is another PoC out there that leverages this one.

So, based on these results, I can already write a very simple (and naïve) check.

However, I also tested the attack vector described by @gentilkiwi in this tweet: https://twitter.com/gentilkiwi/status/1416429860566847490
This one works by default on a fully up-to-date machine by design. As highlighted by Benjamin, the only way for preventing this attack at the moment is by enforcing the Package Point and print - Approved servers policy and specifying a list of trusted print servers.
I still need to figure out how I should handle this case.

from privesccheck.

For the LPE, Check if the GPO 'Package Point and print - Approved servers' is set, there is surely a registry key linked to this and the list of approved servers is set. Then if set, no LPE

Otherwise if you don't have this gpo set, it's LPE by design on windows, there is not so much check to do.

from privesccheck.

I still think the check for at least the RCE is useful ;)

from privesccheck.

good :)

from privesccheck.

I suggest you check out the "Driver" machine on htb, this check should have been accurate but for some reason it wasnt.

from privesccheck.

Hmm, sure, can you provide more details please? (I really don't have time to spare on HTB at the moment)
What is the configuration of the machine?
The output of the command reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" would definitely help.

from privesccheck.

That's the weird part - it just doesnt exist....i ran these same commands from user and admin space, same results

`
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
`

This is what worked:
https://github.com/calebstewart/CVE-2021-1675

from privesccheck.

That's not weird. The most likely explanation is that the security patches for PrintNightmare were simply not installed.
As a reminder, the aim of this check is to verify whether a fully up-to-date machine has a vulnerable "Point and Print" configuration that would allow low-priv users to install print drivers.

Maybe I should rename it from "PrintNightmare exploit" to something like "Point and Print configuration" to avoid the confusion.

from privesccheck.