Rapid7 Vulnerability & Exploit Database

Lexmark Driver Privilege Escalation

Back to Search

Lexmark Driver Privilege Escalation



Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenicated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.


  • Jacob Baines
  • Shelby Pace
  • Grant Willcox




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/lexmark_driver_privesc
msf exploit(lexmark_driver_privesc) > show targets
msf exploit(lexmark_driver_privesc) > set TARGET < target-id >
msf exploit(lexmark_driver_privesc) > show options
    ...show and set options...
msf exploit(lexmark_driver_privesc) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security