CVE-2021-1675 icon indicating copy to clipboard operation
CVE-2021-1675 copied to clipboard

Published 20 hours ago verified publisher icon cube0x0

DLL Uploaded but Not Executed (Windows 10)

Open reznok opened this issue 3 years ago • 8 comments

Running remotely against a Windows 10 host.

Running the exploit successfully drops the malicious DLL in C:\Windows\System32\spool\drivers\x64\3. However, the "backup" process in the exploit write-up does not appear to be happening. C:\Windows\System32\spool\drivers\x64\3\old never appears to exist, resulting in RPRN SessionError: code: 0x3 - ERROR_PATH_NOT_FOUND - The system cannot find the path specified. errors when trying to execute the dll.

I have tried changing the pConfigFile to point at the .dll that I know exists: container_info['DriverInfo']['Level2']['pConfigFile'] = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\{0}\x00".format(filename)

But this results in what I believe is expected from the original writeup: RPRN SessionError: code: 0x20 - ERROR_SHARING_VIOLATION - The process cannot access the file because it is being used by another process.

reznok avatar Jun 30 '21 19:06 reznok

This is the exact issue I am having as well. I am able to get it to trigger if I drop the dll on disk at C:\test.dll and point container_info['DriverInfo']['Level2']['pConfigFile'] directly at it. It then does the backup process and creates the old and new folders. Whereas attempting to run the PoC fully remote, the folders are not created or only for a split second.

sdhornet avatar Jun 30 '21 19:06 sdhornet

Same issue here against a Windows Server 2019 (DC) host. Tried everything, I could think of. It seems that the print spooler service also crashes after I make the attempt.

0xDrizzo avatar Jun 30 '21 20:06 0xDrizzo

Same problem on windows server 2012 R2 updated with 2021/02 patch bundle

armanduz avatar Jul 01 '21 12:07 armanduz

Yeap, same issue on DC 2019 Server

tehdisko avatar Jul 02 '21 06:07 tehdisko

anyone figured this out?

pr0t0nus3rxyz avatar Jul 02 '21 07:07 pr0t0nus3rxyz

I retested just now, Server2019 fully patched, promoted to a DC and it worked fine. My previous test was on a server2019 but not as a DC. Make sure you have "Authenticated Users" as a member of the "Pre-Windows 2000 Compatible Access" Builtin group. This appears to be what allows a normal domain user to have access to the spooler.

sdhornet avatar Jul 02 '21 07:07 sdhornet

See https://github.com/cube0x0/CVE-2021-1675/pull/25

citronneur avatar Jul 04 '21 15:07 citronneur

Hey,guys I came across with the same issue on windows server 2019 both fully patched or pure original iso. I figure out that the root cause of this is the privilege of the user is wrong,the left domain user of the following picture will work fine,not the right. image

5n1p3r0010 avatar Jul 06 '21 08:07 5n1p3r0010