Comments (18)
So... here is what I came up with:
+------+------------------------------------------------+------+
| TEST | CONFIG > PrintNightmare exploit | VULN |
+------+------------------------------------------------+------+
| DESC | Checks whether the Print Spooler service is enabled |
| | and if the Point and Print configuration allows |
| | low-privileged users to install printer drivers (even |
| | on a fully up-to-date machine). |
+------+-------------------------------------------------------+
[*] Found 2 result(s).
Path : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : NoWarningNoElevationOnInstall
Data : 1
Path : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : RestrictDriverInstallationToAdministrators
Data : 0
In the end, I also had to check the value of RestrictDriverInstallationToAdministrators
based on the information provided in this KB.
When the patch for CVE-2021-34527 is installed, the RestrictDriverInstallationToAdministrators
setting can be set to 1 to override the two other registry values. In this case, only administrators can install print drivers.
Once again, this does not take into account the latest exploit technique described by @gentilkiwi, which bypasses any patch or setting.
from privesccheck.
Yes, I know. I followed Benjamin's recommendations.
So I configured the "Package Point and print - Approved servers" policy.
This one blocks the most recent exploit (which can still be considered as a 0-day at the moment like you said).
from privesccheck.
J'ai écouté l'épisode de NoLimitSecu sur PrintNightmare: https://www.nolimitsecu.fr/printnightmare/
Benjamin disait que le paramètre NoWarningNoElevationOnInstall
était souvent activé dans les environnements d'entreprise.
Donc ce test là m'a l'air tout à fait pertinent, d'autant plus que j'ai pu le valider dans mon lab.
from privesccheck.
Okay, so by design there is an LPE on all windows as demonstrated by benjamin.
Nevertheless, there is a mitigation https://twitter.com/gentilkiwi/status/1425875881680068608?s=20
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
If the following registry keys are set, no more LPE ! Maybe worth to check it because now the script tells you if you have patched your system only, but not if you are secure and not vulnerable to this LPE.
from privesccheck.
Some news about this "feature request":
- I removed the term PrintNightmare from the title of this check to avoid confusion. It's now simply called Point and Print which is actually more accurate.
- I finally added a test for the registry values
PackagePointAndPrintOnly
andPackagePointAndPrintServerList
. Better late than never... - If
PackagePointAndPrintServerList
is set to1
, I don't check the content of theListofServers
registry key though. I simply added a mention about it in the description so that people can check it manually. - About the description field... I added a description to each tested value to make it easier to understand the output, i.e. why this setting is reporting as vulnerable?.
I think that's it. I'm finally done with this one. Special thanks to @Acebond and @mpgn . 🎉
from privesccheck.
Thanks for the suggestion, that's a good idea. :)
Writing the check shouldn't take long but testing will be another story. :/
from privesccheck.
To make it vulnerable:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 1 (DWORD)
UpdatePromptSettings = 1 (DWORD)
Restart the spooler service
from privesccheck.
Hi @mpgn ! 🙂
I know you followed the "PrintNightmare case" more closely than I did. 😉
If I understand correctly, a fully patched Windows machine should no longer be vulnerable to the RCE. However it might be vulnerable to the LPE if PointAndPrint is enabled without elevation.
So, first question, do you know if the two registry values need to be set to 1 simultaneously for the machine to be vulnerable or only one of them is enough?
Second question, what is the most reliable PoC at the moment to test this scenario locally?
Thanks for your help.
from privesccheck.
The answers I'm looking for seem to be in this thread: https://twitter.com/gentilkiwi/status/1416429860566847490 😛
...and this flow chart: https://twitter.com/wdormann/status/1413210835326054402/photo/1
from privesccheck.
So, to be quick, even if you are patched, if you have point and print you are vulnerable to RCE and LPE unless you have a registy key set that "Disable inbound remote printing through" to prevent RCE (I don't have the name right now)
For the LPE, there no fix currently, it's just pure 0day in the wild ;) (unless you set this GPO 'Package Point and print - Approved servers' but I don't have the name of the registry key)
As for the flow chart, unfortunately, I don't recommand to follow it. Lots of wrong information that mislead people thinking they are secure, but maybe this is not the most up to date one ;)
from privesccheck.
I'm making some progress. I traced back a part of the whole story. So...
I have a fully up-to-date Windows 10 Pro virtual machine. In this case, Mimikatz' PoC fails, which is the expected result.
misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{2c937332-3e8d-4aee-827b-6fe5c213acc5}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: ERROR kuhl_m_misc_printnightmare_AddPrinterDriver ; 5
Then, I set NoWarningNoElevationOnInstall
to 1
and restarted the spooler.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnInstall /d 1 /t reg_dword
net stop spooler
net start spooler
I ran the PoC once again, and this time, the PoC worked.
mimikatz # misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{ca42c0d6-e593-4ddc-ad35-289a456a90ff}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: OK!
The other registry value - UpdatePromptSettings
- is probably here to kill another attack vector, which I'm not aware of at the moment. Perhaps there is another PoC out there that leverages this one.
So, based on these results, I can already write a very simple (and naïve) check.
However, I also tested the attack vector described by @gentilkiwi in this tweet: https://twitter.com/gentilkiwi/status/1416429860566847490
This one works by default on a fully up-to-date machine by design. As highlighted by Benjamin, the only way for preventing this attack at the moment is by enforcing the Package Point and print - Approved servers
policy and specifying a list of trusted print servers.
I still need to figure out how I should handle this case.
from privesccheck.
For the LPE, Check if the GPO 'Package Point and print - Approved servers' is set, there is surely a registry key linked to this and the list of approved servers is set. Then if set, no LPE
Otherwise if you don't have this gpo set, it's LPE by design on windows, there is not so much check to do.
from privesccheck.
I still think the check for at least the RCE is useful ;)
from privesccheck.
good :)
from privesccheck.
I suggest you check out the "Driver" machine on htb, this check should have been accurate but for some reason it wasnt.
from privesccheck.
Hmm, sure, can you provide more details please? (I really don't have time to spare on HTB at the moment)
What is the configuration of the machine?
The output of the command reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
would definitely help.
from privesccheck.
That's the weird part - it just doesnt exist....i ran these same commands from user and admin space, same results
`
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
reg.exe : ERROR: The system was unable to find the specified registry key or value.
+ CategoryInfo : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
`
This is what worked:
https://github.com/calebstewart/CVE-2021-1675
from privesccheck.
That's not weird. The most likely explanation is that the security patches for PrintNightmare were simply not installed.
As a reminder, the aim of this check is to verify whether a fully up-to-date machine has a vulnerable "Point and Print" configuration that would allow low-priv users to install print drivers.
Maybe I should rename it from "PrintNightmare exploit" to something like "Point and Print configuration" to avoid the confusion.
from privesccheck.
Related Issues (20)
- Helper script detected by AMSI when building HOT 1
- Wifi Airstrike Attack (CVE-2021-28316) already mitigated Apr 13, 2021 HOT 2
- Cannot find process with ID for UDP Endpoints HOT 2
- Specified cast is not valid HOT 9
- Windows 11 detected as Windows 10 HOT 3
- Scheduled Task: Binary Exploitation no detection HOT 2
- Empty WinLogon credentials HOT 1
- Check for vulnerable WPAD configuration? HOT 2
- Report Improvement Suggestion HOT 2
- [Improvement] Check for vulnerable drivers HOT 1
- SERVICES > Unquoted Path not work as expected HOT 3
- Credential Guard HOT 3
- [Feature Request] Readd Compliance Field HOT 4
- Getting erros when trying to run it HOT 2
- Get-HotFixList misses updates HOT 2
- LapsV2 is not being checked? HOT 3
- Check SMB signing required HOT 5
- Service binary permissions false positive HOT 1
- List ASR rules HOT 2
- Bug in Find-SccmCacheFileCredentials? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from privesccheck.