Print Driver PrivEsc

If you attended DEF CON last week, you may have seen this talk on print driver vulnerabilities from Metasploit community contributor Jacob Baines. In the spirit of Friday the 13th, we're highlighting some of these "print nightmares" again, in the form of two new Metasploit modules that Jacob added.
The first is a Canon TR150 Print Driver Local Privilege Escalation module, which exploits CVE-2021-38085. The second is a Lexmark Universal Print Driver Local Privilege Escalation module, which exploits CVE-2021-35449. Both modules target Windows systems with their respective vulnerable print drivers installed, and result in privilege escalation to a SYSTEM user.

Atlassian Crowd RCE

Also new in this week's release is an Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE module by Rapid7's own Grant Willcox, which exploits CVE-2019-11580. This vulnerability allows an attacker to upload arbitrary plugins to vulnerable Atlassian Crowd data servers and achieve unauthenticated remote code execution. This module also includes a check method for verifying whether a target is vulnerable to this exploit. It should be noted that this vulnerability made the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of the 12 most routinely exploited vulns for 2020).

New module content (3)

  • Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE by Corben Leo, Grant Willcox, and Paul, which exploits CVE-2019-11580 - This adds an exploit for CVE-2019-11580 which is an unauthenticated RCE within the Atlassian Crowd application. The vulnerability allows for a malicious JAR file to be loaded, resulting in arbitrary Java code execution within the context of the service.
  • Canon Driver Privilege Escalation by Jacob Baines and Shelby Pace, which exploits CVE-2021-38085 - A new module has been added to exploit CVE-2021-38085, a privilege escalation issue in the Canon TR150 Print Driver. Successful exploitation results in code execution as the SYSTEM user.
  • Lexmark Driver Privilege Escalation by Grant Willcox, Jacob Baines, and Shelby Pace, which exploits CVE-2021-35449 - A new module has been added to exploit CVE-2021-35449, a privilege escalation issue in a variety of Lexmark drivers including the Universal Print Driver. Successful exploitation allows local attackers to gain SYSTEM level code execution.

Enhancements and features

  • #15327 from adfoster-r7 - Fixes a regression issue in the RPC analyze command. Adds automated integration tests to ensure it doesn't break in the future.
  • #15430 from zeroSteiner - This adds support for SSH pivoting by adding a new Command Shell session type for SSH clients. This also updates both auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_login_pubkey modules to include these changes. Note that it only supports TCP client connections and only outbound payloads can be used through the SSH pivot at the moment (no reverse payloads).
  • #15493 from jmartin-r7 - Updated Metasploit's dependency on Rails from version 5.2 to 6.1
  • #15523 from adfoster-r7 - This enhances the console output with additional information on why a session may not be compatible with a post module, such as missing Meterpreter commands.
  • #15535 from adfoster-r7 - The psexec module has been updated to use the SMBSHARE option name instead of SHARE for better consistency across modules. Users can still use the old SHARE option if needed, however this should be considered deprecated.

Bugs fixed

  • #15524 from pingport80 - This fixes a localization-related issue in the post/linux/gather/enum_network module, caused by it searching for language-specific strings in the output to determine success.
  • #15534 from timwr - Fixes a regression issue in post/multi/manage/shell_to_meterpreter where the generated Powershell command length was greater than the limit of 8192 characters after string obfuscation was applied.
  • #15536 from zeroSteiner - The HiveNightmare module has been updated to correctly use the INTERATIONS option instead of the NBRE_ITER option when performing the loop to call check_path(). This fixes an issue where the module would hang whilst users were running it, and ensures the loop correctly terminates after a set number of iterations.
  • #15542 from adfoster-r7 - This fixes a regression with Meterpreter's initialize methods, which caused Meterpreter scripts to be broken.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).