Rapid7 Vulnerability & Exploit Database

Lexmark Driver Privilege Escalation

Back to Search

Lexmark Driver Privilege Escalation

Disclosed
07/15/2021
Created
08/12/2021

Description

Various Lexmark Universal Printer drivers as listed at advisory TE953 allow low-privileged authenicated users to elevate their privileges to SYSTEM on affected Windows systems by modifying the XML file at C:\ProgramData\\Universal Color Laser.gdl to replace the DLL path to unires.dll with a malicious DLL path. When C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs is then used to add the printer to the affected system, PrintIsolationHost.exe, a Windows process running as NT AUTHORITY\SYSTEM, will inspect the C:\ProgramData\\Universal Color Laser.gdl file and will load the malicious DLL from the path specified in the file. This which will result in the malicious DLL executing as NT AUTHORITY\SYSTEM. Once this module is finished, it will use the prnmngr.vbs script to remove the printer it added.

Author(s)

  • Jacob Baines
  • Shelby Pace
  • Grant Willcox

Platform

Windows

Architectures

x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/lexmark_driver_privesc
msf exploit(lexmark_driver_privesc) > show targets
    ...targets...
msf exploit(lexmark_driver_privesc) > set TARGET < target-id >
msf exploit(lexmark_driver_privesc) > show options
    ...show and set options...
msf exploit(lexmark_driver_privesc) > exploit

Metasploit

Penetration testing software for offensive security teams.
Key Features
Free Metasploit Pro Trial View All Features

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;