gthirugnanasa

Introduction

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the disclosure of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service. This critical vulnerability has been dubbed PrintNightMare and is assigned a CVE (CVE-2021-34527)In this article, we'll show how to use FortiEDR to detect and mitigate the exploitation of this vulnerability.

 

 

How PrintNightmare vulnerability leads to LPE and RPE

 

The vulnerability in the method RpcAddPrinterDriver() leads to Local Privilege Escalation (LPE) and Remote Code Execution (RCE). Local Privilege Escalation allows a user with lower privileges to gain system-level access, whereas RCE allows a remote user to execute code in the context of the system.

 

The RpcAddPrinterDriverEx() method is used to install a printer driver on a system and is defined as follows.

 

 

 

 

 

DWORD RpcAddPrinterDriverEx(

 

   [in, string, unique] STRING_HANDLE pName,

 

   [in] DRIVER_CONTAINER* pDriverContainer,

 

   [in] DWORD dwFileCopyFlags

 

 );

 

 

 

 

 

 

 

pName: Pointer to a string that specifies the name of the print server that the method operates on

dwFileCopyFlags: A bit field that specifies options for copying replacement printer driver files.

 

pDriverContainer: A pointer to a DRIVER_CONTAINER structure 

 

The DRIVER CONTAINER object is one of the parameters to RpcAddPrinterDriverEx(), and it contains information on which driver is to be used by the added printer. The DRIVER_CONTAINER structure provides this information using DRIVER_INFO structures. The DriverInfo member given below defines the properties of a printer driver.

 typedef struct _DRIVER_INFO_2 {

 

   DWORD cVersion;

 

   [string] wchar_t* pName;

 

   [string] wchar_t* pEnvironment;

 

   [string] wchar_t* pDriverPath;

 

   [string] wchar_t* pDataFile;

 

   [string] wchar_t* pConfigFile;

 

 } DRIVER_INFO_2;

 

 

pDataFile: A pointer to a string that specifies a file name or a full path that contains printer driver data. 

pConfigFile: A pointer to a string that specifies a file name or a full path to printer driver configuration module.

pDriverPath: A pointer to a string that specifies a file name or full path to the printer driver file.

 

The exploit code calls the RpcAddPrinterDriverEX() method twice. The exploit dll in the remote server path is passed to the pDataFile parameter in the first call to RpcAddPrinterDriverEX (shown below). This will cause the attacker's dll to be copied to the path "C:\Windows\System32\spool\drivers\x64\3\old\" within the domain controller system.

 

 

RpcAddPrinterDriverEX() is invoked again after modifying pConfigFile to point to the location ("C:\Windows\System32\spool\drivers\x64\3\old\") where the attacker dll is written. Now, this will load the attacker payload, i.e execute attacker code with domain SYSTEM privileges.

 

 

Local Privilege Escalation

 

 

Local privilege escalation happens when a non-admin user acquires the system rights of the admin user. 

 

In the below exploit sample, the attacker takes advantage of the vulnerability to escalate privileges on a local system. When running the exploit code on a vulnerable system, the exploit first elevates the privileges from lower to system-level. It then executes the payload (dll) with system privileges on the local system. Here, the supplied payload (dll) creates a new user account (admIn) with Administrator privileges.

 

 

 

Thus, a user with lower privileges is allowed to create an admin user with full system privileges.

 

Remote Code Execution

 

You can see how the attacker exploits this vulnerability to achieve remote code execution in the following exploit sample. Assuming the attacker already gained access to a domain user account. The attacker then attempts to exploit the vulnerable domain controller system from a domain user account. The exploit code elevates the privileges, drops the malicious payload into the printer spool driver path, and executes it on the domain controller system.

 

 

Successful exploitation of this vulnerability allows the attacker to execute the malicious payload (evil.dll) in the context of the Print Spooler Service which runs with System Privileges.

 

 

 

You can see the domain controller's spoolsv.exe process loading the evil.dll from the path C:\Windows\System32\spool\drivers\x64\3\evil.dll.

 

 

Thus, a remote authenticated domain user with lesser privileges can elevate the privileges and execute arbitrary remote code in the context of the system.

 


Solution
Detecting and Mitigating PrintNightmare with FortiEDR

 

Pre-Exploitation

 

A domain user (172.16.0.3) attempts to exploit this vulnerability in the printer spool service running on the domain controller in the event shown below. FortiEDR detects the local privilege escalation and successfully blocks the exploitation.

 

The EDR rule "Privilege Escalation Exploit Detected" under Exfiltration policy triggers the above event and blocks the local privilege escalation.

 

 

Post-Exploitation

 

We can see the post-exploitation behavior by switching the FortiEDR mode from prevention to simulation. As we set EDR to simulation mode, the exploit code ran successfully and loaded the attacker's dll into the spool service.

 

FortiEDR detects the loading of a malicious file and blocks the dll from execution, which you can see from the following event.

 

FortiEDR's advanced real time detection identifies a malicious payload (dll) dynamically loaded by rundll32.exe. It blocks the dll's execution and the connection to the C2 server in the following event.

 

 

This event is triggered by the following EDR rules when a malicious dll is dynamically loaded, blocking the execution of the dll during post-exploitation.   

 

Thus, FortiEDR delivers advanced, real-time threat protection for endpoints both pre and post-exploitation.

Threat Hunting

FortiEDR's threat hunting enhancement will also provide visibility into exploitation attempts and subsequent operations. Find below the threat hunting queries that you shall use in FortiEDR v5 Threat Hunting to identify suspicious activities related to PrintNightmare.

 

This query will identify file creation events for dll files created in the known CVE-2021-34527 driver path. Note there may be FPs related to inventory scan events and during system install/update.

Type:("File Create") AND Target.File.Path:(\\spool\\drivers\\x64\\) AND Target.File.Ext:("dll") 

 

This query will identify dll file creation events from spoolsv.exe process. Very low false positive rate. 

Type:("File Create") AND Source.Process.Name:("spoolsv.exe") AND Target.File.Path:(\\spool\\drivers\\x64\\) AND Target.File.Ext:("dll") 

 

This query will identify rundll32 processes spawning from spoolsv.exe processes. Very low false positive rate.

Type:("Process Creation") AND Source.Process.Name:("spoolsv.exe") AND Target.Process.Name:("rundll32.exe") 

 

This query will identify network connections associated with rundll32 processes where spoolsv.exe is in the process chain (parent). This can detect some observed post exploitation activity. Very low false positive rate.

Type:("Socket Connect") AND Source.Process.Name:("rundll32.exe") AND Source.Process.Parent.Path:(*spoolsv.exe) 

 

This query is more generic for flagging rundll32.exe making network connections. This is non-standard behaviour and whilst not always directly linked to CVE-2021-34527, should be investigated as suspicious activity. Low false positive rate for suspicious activity, may need tuning if there is bespoke software that calls dll’s directly. 

Type:("Socket Connect") AND Source.Process.Name:("rundll32.exe") 

 

This query will identify library loads for the spoolsv.exe process linked to the known CVE-2021-34527 driver path. Note that this will have a number of false positives that will need to be filtered on a per environment basis. Notable FPs are for legitimate kernelbase.dll and PrintConfig.dll dlls but these filenames could be spoofed by and adversary so have not been filtered out. The hash of these files will change per Windows version, suggest adding exclusions for specific valid driver file hashes to this search as part of baselining. 

Type:("Library Loaded") AND Source.Process.Name:("spoolsv.exe") AND Target.Executable.File.Path:(\\spool\\drivers\\x64\\) AND Target.Executable.File.Ext:("dll") 

 

This query will identify any significant activity from the rundll32.exe process spawned by spoolsv.exe. This is a useful 'catch-all' for post exploitation activity associated with CVE-2021-34527. 

Source.Process.Name:("rundll32.exe") AND Source.Process.Parent.Path:(*spoolsv.exe) AND (Type:("Socket Connect") OR Type:("Process Creation") OR Type:("File Create")) 

 

This query will detect network connections associated with spoolsv.exe. An alert on this query could be as a result of exploit of the RCE component of CVE-2021-34527. This will need to be tuned for the environment to avoid false positives but particular attention should be put on returned connections for RemoteIP’s that are not internal to your environment.

Type:("Socket Connect") AND Source.Process.Name:("spoolsv.exe") AND (LocalPort:("0")

 

 

MITRE ATT&CK

 

Find below the mapping of Mitre techniques involved with the exploitation of this vulnerability.

 

Tactic ID 

Tactic 

Technique ID 

Technique 

Description 

TA0001 

Initial Access 

T1133 

External Remote Services 

The vulnerability can be used to target the Printer Spooler service if remotely accessible via a network connection. 

TA0003 

Persistence 

T1547.012 

Boot or Logon Autostart Execution: Print Processors 

Drivers loaded through the exploit of this vulnerability will be loaded by the Print Spooler service and copies will be retained in various directories in the 'C:\Windows\System32\spool\drivers\x64\3\' path. 

TA0004 

Privilege Escalation 

T1068 

Exploitation for Privilege Escalation 

This exploit specifically targets a vulnerability in the Print Spooler service and uses it to load and execute an attacker supplied driver with local system privileges. This access effectively subverts UAC on affected hosts. 

TA0004 

Privilege Escalation 

T1547.012 

Boot or Logon Autostart Execution: Print Processors 

Execution through exploit of a service (such as also provides escalation to local system. 

TA0005 

Defense Evasion 

T1218.011 

Signed Binary Proxy Execution: Rundll32 

Rundll32.exe is used to execute functionality available through dropped dlls. This offers a good opportunity for behavioral detection as spoolsv.exe does not typically execute rundll32.exe. 

TA0008 

Lateral Movement 

T1570 

Lateral Tool Transfer 

The vulnerability allows for transfer of tools in the form of dll files to a vulnerable host. This has been demonstrated in multiple PoC, freely available through open source research. 

TA0008 

Lateral Movement 

T1210 

Exploitation of Remote Services 

The vulnerability targets Printer Spooler service which is remotely accessible via a network connection. This can support lateral movement and initial access from external hosts. 

 

Mitigation

 

·  Administrators are strongly advised to apply Microsoft’s out-of-band security updates for this vulnerability.

·  Disable the Windows Print spooler service in Domain Controllers and systems that do not print until Microsoft patches both LPE and RCE.

·  Review KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates

·  Review the best practice from Microsoft’s how-to guides

 

 

References

https://www.fortiguard.com/threat-signal-report/4002/printnightmare-zero-day-remote-code-execution-v...

https://www.fortinet.com/blog/threat-research/fortinet-releases-ips-signature-microsoft-printnightma...

 

 

The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts continues to monitor and update this article as new information is discovered.