H3-2023-0016¶

Authenticated Microsoft Windows Machine Account NTLM Coercion via Print Spooler Protocol Manipulation

Description¶

Microsoft's Print System Remote Protocol [MS-RPRN] defines the communication of print job processing and print system management between a print client and a print server. Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controlling a domain user/computer can, with a specific RPC call, manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments.

Impact¶

An authenticated attacker with access to low privileged user credentials can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.

References¶

• [MS-RPRN]: Print System Remote Protocol
• MS-RPRN Abuse (PrinterBug)
• MITRE ATT&CK Technique: T1187: Forced Authentication