itm4n
commented
3 years ago Thanks for the suggestion, that's a good idea. :) Writing the check shouldn't take long but testing will be another story. :/
Closed Acebond closed 2 years ago
itm4n
commented
3 years ago Thanks for the suggestion, that's a good idea. :) Writing the check shouldn't take long but testing will be another story. :/
mpgn
commented
3 years ago To make it vulnerable:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 1 (DWORD)
UpdatePromptSettings = 1 (DWORD)Restart the spooler service
itm4n
commented
3 years ago Hi @mpgn ! 🙂
I know you followed the "PrintNightmare case" more closely than I did. 😉 If I understand correctly, a fully patched Windows machine should no longer be vulnerable to the RCE. However it might be vulnerable to the LPE if PointAndPrint is enabled without elevation.
So, first question, do you know if the two registry values need to be set to 1 simultaneously for the machine to be vulnerable or only one of them is enough?
Second question, what is the most reliable PoC at the moment to test this scenario locally?
Thanks for your help.
itm4n
commented
3 years ago The answers I'm looking for seem to be in this thread: https://twitter.com/gentilkiwi/status/1416429860566847490 😛
...and this flow chart: https://twitter.com/wdormann/status/1413210835326054402/photo/1
mpgn
commented
3 years ago So, to be quick, even if you are patched, if you have point and print you are vulnerable to RCE and LPE unless you have a registy key set that "Disable inbound remote printing through" to prevent RCE (I don't have the name right now)
For the LPE, there no fix currently, it's just pure 0day in the wild ;) (unless you set this GPO 'Package Point and print - Approved servers' but I don't have the name of the registry key)
As for the flow chart, unfortunately, I don't recommand to follow it. Lots of wrong information that mislead people thinking they are secure, but maybe this is not the most up to date one ;)
itm4n
commented
3 years ago I'm making some progress. I traced back a part of the whole story. So...
I have a fully up-to-date Windows 10 Pro virtual machine. In this case, Mimikatz' PoC fails, which is the expected result.
misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{2c937332-3e8d-4aee-827b-6fe5c213acc5}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: ERROR kuhl_m_misc_printnightmare_AddPrinterDriver ; 5Then, I set NoWarningNoElevationOnInstall to 1 and restarted the spooler.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnInstall /d 1 /t reg_dword
net stop spooler
net start spoolerI ran the PoC once again, and this time, the PoC worked.
mimikatz # misc::printnightmare /server:localhost /library:C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
[ms-par/ncacn_ip_tcp] remote: localhost
> RpcAsyncGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{ca42c0d6-e593-4ddc-ad35-289a456a90ff}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Lab-User\Downloads\mimikatz_trunk\x64\mimispool.dll
> RpcAsyncAddPrinterDriver: OK!The other registry value - UpdatePromptSettings - is probably here to kill another attack vector, which I'm not aware of at the moment. Perhaps there is another PoC out there that leverages this one.
So, based on these results, I can already write a very simple (and naïve) check.
However, I also tested the attack vector described by @gentilkiwi in this tweet: https://twitter.com/gentilkiwi/status/1416429860566847490
This one works by default on a fully up-to-date machine by design. As highlighted by Benjamin, the only way for preventing this attack at the moment is by enforcing the Package Point and print - Approved servers policy and specifying a list of trusted print servers.
I still need to figure out how I should handle this case.
mpgn
commented
3 years ago For the LPE, Check if the GPO 'Package Point and print - Approved servers' is set, there is surely a registry key linked to this and the list of approved servers is set. Then if set, no LPE
Otherwise if you don't have this gpo set, it's LPE by design on windows, there is not so much check to do.
itm4n
commented
3 years ago Yes, I know. I followed Benjamin's recommendations. So I configured the "Package Point and print - Approved servers" policy. This one blocks the most recent exploit (which can still be considered as a 0-day at the moment like you said).
mpgn
commented
3 years ago I still think the check for at least the RCE is useful ;)
itm4n
commented
3 years ago J'ai écouté l'épisode de NoLimitSecu sur PrintNightmare: https://www.nolimitsecu.fr/printnightmare/
Benjamin disait que le paramètre NoWarningNoElevationOnInstall était souvent activé dans les environnements d'entreprise.
Donc ce test là m'a l'air tout à fait pertinent, d'autant plus que j'ai pu le valider dans mon lab.
itm4n
commented
3 years ago So... here is what I came up with:
+------+------------------------------------------------+------+
| TEST | CONFIG > PrintNightmare exploit | VULN |
+------+------------------------------------------------+------+
| DESC | Checks whether the Print Spooler service is enabled |
| | and if the Point and Print configuration allows |
| | low-privileged users to install printer drivers (even |
| | on a fully up-to-date machine). |
+------+-------------------------------------------------------+
[*] Found 2 result(s).
Path : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : NoWarningNoElevationOnInstall
Data : 1
Path : HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value : RestrictDriverInstallationToAdministrators
Data : 0In the end, I also had to check the value of RestrictDriverInstallationToAdministrators based on the information provided in this KB.
When the patch for CVE-2021-34527 is installed, the RestrictDriverInstallationToAdministrators setting can be set to 1 to override the two other registry values. In this case, only administrators can install print drivers.
Once again, this does not take into account the latest exploit technique described by @gentilkiwi, which bypasses any patch or setting.
mpgn
commented
3 years ago good :)
mpgn
commented
3 years ago Okay, so by design there is an LPE on all windows as demonstrated by benjamin. Nevertheless, there is a mitigation https://twitter.com/gentilkiwi/status/1425875881680068608?s=20
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1If the following registry keys are set, no more LPE ! Maybe worth to check it because now the script tells you if you have patched your system only, but not if you are secure and not vulnerable to this LPE.
ghost-ng
commented
2 years ago I suggest you check out the "Driver" machine on htb, this check should have been accurate but for some reason it wasnt.
itm4n
commented
2 years ago Hmm, sure, can you provide more details please? (I really don't have time to spare on HTB at the moment)
What is the configuration of the machine?
The output of the command reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" would definitely help.
ghost-ng
commented
2 years ago That's the weird part - it just doesnt exist....i ran these same commands from user and admin space, same results
` reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" reg.exe : ERROR: The system was unable to find the specified registry key or value.
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection `
This is what worked: https://github.com/calebstewart/CVE-2021-1675
itm4n
commented
2 years ago That's not weird. The most likely explanation is that the security patches for PrintNightmare were simply not installed. As a reminder, the aim of this check is to verify whether a fully up-to-date machine has a vulnerable "Point and Print" configuration that would allow low-priv users to install print drivers.
Maybe I should rename it from "PrintNightmare exploit" to something like "Point and Print configuration" to avoid the confusion.
itm4n
commented
2 years ago Some news about this "feature request":
PackagePointAndPrintOnly and PackagePointAndPrintServerList. Better late than never...PackagePointAndPrintServerList is set to 1, I don't check the content of the ListofServers registry key though. I simply added a mention about it in the description so that people can check it manually.I think that's it. I'm finally done with this one. Special thanks to @Acebond and @mpgn . :tada:
In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 https://twitter.com/gentilkiwi/status/1412771368534528001 https://github.com/tothi/CVE-2021-1675
If Point and Print is enabled, the PrintNightmare patch can be completely bypassed, and PrintNightmare works for RCE and LPE. If NoWarningNoElevationOnInstall (and I assume NoWarningNoElevationOnUpdate) are enabled, the patch can be bypassed for LPE. Microsoft has stated that these vulnerable configurations are not something that will be patched.
I think if would be good to add these registry keys to PrivescCheck to check if the system is vulnerable to privilege escalation using PrintNightmare.