关联漏洞
标题:
Microsoft Windows Print Spooler Components 安全漏洞
(CVE-2021-1675)
描述:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for AR
介绍
# PrintNightmare (CVE-2021-1675)
This Zeek script detects successful `RpcAddPrinterDriver{,Ex}` DCE RPC events,
which are required to successfully exploit the vulnerability. Tests are based on
exploit PCAP from [Lares Lab](https://github.com/LaresLLC/CVE-2021-1675). Tested
with Zeek versions `3.0.2` and `4.0.1`.
## Notices
* `Printer_Driver_Changed_Successfully` indicates the printer driver was changed successfully.
## Suricata
We have also provided [Suricata rules](./suricata.rules) to detect the DCE RPC
commands used in this exploit. These can be either loaded into a Corelight
appliance, or run directly with Suricata. These rules fire a lot on larger
networks and may be sufficiently noisy so as not to be useful. Please use with
caution. We have kept them here in case they are useful in other networks. In
our opinion, the Zeek package is more robust against noise.
The output of running Suricata with the provided ruleset is shown below:
```
$ suricata -r testing/Traces/PrintNightmare.pcap -S suricata.rules
8/7/2021 -- 10:54:57 - <Notice> - This is Suricata version 6.0.3 RELEASE running in USER mode
8/7/2021 -- 10:54:57 - <Warning> - [ERRCODE: SC_WARN_ERSPAN_CONFIG(329)] - ERSPAN Type I is no longer configurable and it is always enabled; ignoring configuration setting.
8/7/2021 -- 10:54:57 - <Notice> - all 17 packet processing threads, 4 management threads initialized, engine started.
8/7/2021 -- 10:54:57 - <Notice> - Signal Received. Stopping engine.
8/7/2021 -- 10:54:57 - <Notice> - Pcap-file module read 1 files, 53 packets, 19124 bytes
$ cat fast.log
07/02/2021-08:11:57.785982 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:57.824060 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:57.848240 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:57.848240 [**] [1:3000008:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriverEx [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:57.894097 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:57.894097 [**] [1:3000008:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriverEx [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:57.959051 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:57.959051 [**] [1:3000008:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriverEx [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:58.000581 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:58.000581 [**] [1:3000008:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriverEx [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:11:58.007953 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:12:08.520328 [**] [1:3000007:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriver [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
07/02/2021-08:12:08.520328 [**] [1:3000008:2] CORELIGHT Possible CVE-2021-34527 (PrintNightmare) Exploit - SpoolSS RpcAddPrinterDriverEx [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.149:50070 -> 192.168.1.157:445
```
## References
* https://github.com/LaresLLC/CVE-2021-1675
* https://github.com/afwu/PrintNightmare
* https://github.com/cube0x0/CVE-2021-1675
文件快照
[4.0K] /data/pocs/a9377736f3fb739994eafb24e523306cec90492d
├── [4.8K] README.md
├── [4.0K] scripts
│ ├── [ 13] __load__.zeek
│ └── [ 729] main.zeek
├── [1.6K] suricata.rules
├── [4.0K] testing
│ ├── [4.0K] Baseline
│ │ └── [4.0K] CVE-2021-1675.PrintNightmare
│ │ └── [ 981] notice.log
│ ├── [ 566] btest.cfg
│ ├── [4.0K] CVE-2021-1675
│ │ ├── [ 128] cve-2021-1675
│ │ ├── [ 132] packetcapture_1
│ │ ├── [ 132] packetcapture_2
│ │ └── [ 131] PrintNightmare
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [ 28] Makefile
│ ├── [4.0K] Scripts
│ │ ├── [ 383] diff-remove-timestamps
│ │ └── [1.3K] get-zeek-env
│ └── [4.0K] Traces
│ ├── [ 22K] cve-2021-1675.pcap
│ ├── [4.2K] packetcapture_1.pcap
│ ├── [461K] packetcapture_2.pcap
│ └── [ 20K] PrintNightmare.pcap
└── [ 253] zkg.meta
8 directories, 19 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。