H3-2023-0016
Authenticated Microsoft Windows Machine Account NTLM Coercion via Print Spooler Protocol Manipulation
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 5.3 |
Description
Microsoft's Print System Remote Protocol [MS-RPRN] defines the communication of print job processing and print system management between a print client and a print server. Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controlling a domain user/computer can, with a specific RPC call, manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments.
Impact
An authenticated attacker with access to low privileged user credentials can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.