Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Windows Printer Spooler system has been riddled with bugs since the beginning. Because of this, the authors decided to tackle this attack surface on Windows.

MS-RPRN (Print System Remote Protocol) can add or update a printer driver. Because it would be annoying to install a printer driver from an online website, the printer itself provides a driver for the service. Obviously, this is code execution by design! So, in order to prevent this, the service needs to be authenticated or approved by the user.

If an attacker can bypass the authentication, this would be game over, as the driver would be added. Normally, this would require the client to have the SeLoadDriverPrivilege permission to call the RPC function. However, there is a bug in this logic!

The function ValidateObjectAccess is what should validate access. One of the fields that checks for authentication is user controllable that controls some of the configuration. This field allows for the bypassing of the security protection to add the driver! This is all the article reads; they do not say what the field is actually used for.

They had to bypass an additional annoyances inside of the function RpcAddPrinterDriver as well. Spooler checks to ensure that UNC paths are not used, but it misses one of the paths being used. Secondly, the other file shenanigans needed to be done in order to get the proper DLL to be loaded.

Overall, this is a horribly impactful bug that allows for the taking over of Domain Controllers. The bug is fairly simple but requires a little finesse to get working.