module
Ricoh Driver Privilege Escalation
| Disclosed |
|---|
| Jan 22, 2020 |
Disclosed
Jan 22, 2020
Description
Various Ricoh printer drivers allow escalation of
privileges on Windows systems.
For vulnerable drivers, a low-privileged user can
read/write files within the `RICOH_DRV` directory
and its subdirectories.
`PrintIsolationHost.exe`, a Windows process running
as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
during the installation of a printer. A user can
elevate to SYSTEM by writing a malicious DLL to
the vulnerable driver directory and adding a new
printer with a vulnerable driver.
This module leverages the `prnmngr.vbs` script
to add and delete printers. Multiple runs of this
module may be required given successful exploitation
is time-sensitive.
privileges on Windows systems.
For vulnerable drivers, a low-privileged user can
read/write files within the `RICOH_DRV` directory
and its subdirectories.
`PrintIsolationHost.exe`, a Windows process running
as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
during the installation of a printer. A user can
elevate to SYSTEM by writing a malicious DLL to
the vulnerable driver directory and adding a new
printer with a vulnerable driver.
This module leverages the `prnmngr.vbs` script
to add and delete printers. Multiple runs of this
module may be required given successful exploitation
is time-sensitive.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.