Rapid7 Vulnerability & Exploit Database

Ricoh Driver Privilege Escalation

Back to Search

Ricoh Driver Privilege Escalation

Disclosed
01/22/2020
Created
02/07/2020

Description

Various Ricoh printer drivers allow escalation of privileges on Windows systems. For vulnerable drivers, a low-privileged user can read/write files within the `RICOH_DRV` directory and its subdirectories. `PrintIsolationHost.exe`, a Windows process running as NT AUTHORITY\SYSTEM, loads driver-specific DLLs during the installation of a printer. A user can elevate to SYSTEM by writing a malicious DLL to the vulnerable driver directory and adding a new printer with a vulnerable driver. This module leverages the `prnmngr.vbs` script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

Author(s)

  • Alexander Pudwill
  • Pentagrid AG
  • Shelby Pace

Platform

Windows

Architectures

x86, x64

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/ricoh_driver_privesc
msf exploit(ricoh_driver_privesc) > show targets
    ...targets...
msf exploit(ricoh_driver_privesc) > set TARGET < target-id >
msf exploit(ricoh_driver_privesc) > show options
    ...show and set options...
msf exploit(ricoh_driver_privesc) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;