<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#34">By Date</a>
<a href="35"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#34">By Thread</a>
<a href="35"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2019-19363 - Local Privilege Escalation in many Ricoh Printer Drivers for Windows</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Pentagrid AG <advisory () pentagrid ch>
<em>Date</em>: Wed, 22 Jan 2020 12:03:43 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Local Privilege Escalation in many Ricoh Printer Drivers for Windows
(CVE-2019-19363)
======================================================================
Summary
--------
Pentagrid has been asked to manage the coordinated disclosure process
for a vulnerability that affects several Windows printer drivers for a
wide range of printers by the printer manufacture Ricoh. Due to
improperly set file permissions of file system entries that are
installed when a printer is added to a Windows system, any local user
is able to overwrite program library files (DLLs) with own code.
Impact
-------
The improperly protected library files are loaded by the Windows
PrintIsolationHost.exe, which is a privileged process running as
SYSTEM. When an attacker overwrites library files that are used in an
administrative context, the library code gets executed with
administrative privileges as well. Thus, the attacker is able to
escalate privileges to SYSTEM.
As installing printer drivers is not disallowed by default on Domain
managed Windows computers, this can be used as a universal privilege
escalation as long as the vulnerable printer drivers are valid and
installable.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 8.8 High
Timeline
---------
* 2019-10-17: Pentagrid has been asked to support the disclosure
process, because the source was not successful in
reporting this vulnerability to Ricoh.
* 2019-10-23: Asked @ricoheurope Twitter channel regarding a security
contact. No response, yet.
* 2019-10-29: Successfully established a contact with a Ricoh employee
via LinkedIn. Other contact attempts via LinkedIn failed
so far.
* 2019-10-29: Asked @AskRicoh Twitter channel regarding a security
contact.
* 2019-10-31: Received two e-mail addresses as potential security
contacts via LinkedIn contact.
* 2019-11-02: Initial contact with provided two Ricoh e-mail addresses.
* 2019-11-04: Received PSIRT contact address (psirt () ricoh-usa com).
* 2019-11-05: Sent preliminary advisory to PSIRT.
* 2019-11-05: @AskRicoh responded on Twitter.
* 2019-11-14: Response from Ricoh PSIRT with a timeline proposal and
intended steps.
* 2019-12-05: CVE-2019-19363 has been assigned.
* 2020-01-22: Ricoh published an advisory
(<a rel="nofollow" href="https://www.ricoh.com/info/2020/0122_1/">https://www.ricoh.com/info/2020/0122_1/</a>). Fixes and
mitigations have not been verified, yet.
* 2020-01-22: Advisory updated and published after 90 days of initial
contact.
Affected Components
--------------------
Printer drivers for Ricoh, Savin and Lanier printer brands are
affected. The following drivers for Windows 10 are known to be
affected:
* SP 8300DN - PCL6 Driver for Universal Print, Ver.4.23.0.0,
release date 10/08/2019:
<a rel="nofollow" href="http://support.ricoh.com/bb/pub_e/dr_ut_e/0001315/0001315878/V42300/z87179L19.exe">http://support.ricoh.com/bb/pub_e/dr_ut_e/0001315/0001315878/V42300/z87179L19.exe</a>
(SHA-256
064c1db754d43edbd8c9c23185b817d6a29775c93c1049605f5d907a472d64ab)
* SP 8300DN - PCL 6 Driver, Ver.1.5.0.0, release date 07/03/2016:
<a rel="nofollow" href="http://support.ricoh.com/bb/pub_e/dr_ut_e/0001294/0001294259/V1500/z75198L13.exe">http://support.ricoh.com/bb/pub_e/dr_ut_e/0001294/0001294259/V1500/z75198L13.exe</a>
(SHA-256
af2fa42905850f58879816956d322dc5adfb1f89fbe7f6af830f465fbc0e3cc1)
* P 501/502 - PCL 6 Driver, Ver.1.1.0.0, release date 03/02/2019:
<a rel="nofollow" href="http://support.ricoh.com/bb/pub_e/dr_ut_e/0001311/0001311756/V1100/z84997L16.exe">http://support.ricoh.com/bb/pub_e/dr_ut_e/0001311/0001311756/V1100/z84997L16.exe</a>
(SHA-256
564b27f16db12cafd15eec6057c75b30dbac25dbbebb4fd5598ad09dfaaad416)
* MP C8003/C6503 series - PCL 6 Driver, Ver.1.2.0.0, release date
24/05/2017:
<a rel="nofollow" href="http://support.ricoh.com/bb/pub_e/dr_ut_e/0001303/0001303915/V1200/z80159L15.exe">http://support.ricoh.com/bb/pub_e/dr_ut_e/0001303/0001303915/V1200/z80159L15.exe</a>
(SHA-256
3ef2a1dc09e2dde71ed9db9f6c629ff0140d172fbe71c9e376d391e3162090f0)
Especially the Universal Print driver supports a wide range of printer
models. Furthermore, printers are also marketed under the brand names
Savin and Lanier, which use the same drivers. Additional drivers and
driver versions are affected as well. Ricoh's advisory lists affected
drivers and versions.
Technical Details
------------------
To reproduce the vulnerability, download an affected printer driver
such as the PCL6 Driver for Universal Print, Version 4.23.0.0,
self-extract the executable file and install the driver.
In a standard Windows installation, adding a printer does not need an
administrator account. Instead, the printer driver could be installed
by adding a printer and selecting an installation media.
During the printer setup, the process of PrintIsolationHost.exe
creates a directory c:\ProgramData\RICOH_DRV\ and installs several
files in this location, including several DLL files. Every user has
full control over the installed DLL files as show below, because these
files are writable:
C:\>icacls "c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver
V4.23\_common\dlz\*.dll"
c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver
V4.23\_common\dlz\borderline.dll Everyone:(I)(F)
c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver
V4.23\_common\dlz\headerfooter.dll Everyone:(I)(F)
c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver
V4.23\_common\dlz\jobhook.dll Everyone:(I)(F)
c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver
V4.23\_common\dlz\overlaywatermark.dll Everyone:(I)(F)
c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver
V4.23\_common\dlz\popup.dll Everyone:(I)(F)
c:\ProgramData\RICOH_DRV\RICOH PCL6 UniversalDriver
V4.23\_common\dlz\watermark.dll Everyone:(I)(F)
Successfully processed 6 files; Failed processing 0 files
The flag F means full access and the flag I means permissions are
inherited from the parent directory. The inherited writable flag
origins from a parent directory. In fact, the entire directory
c:\ProgramData\RICOH_DRV grants full control to everyone:
C:\>icacls "c:\ProgramData\RICOH_DRV"
c:\ProgramData\RICOH_DRV Everyone:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
Here OI means Object Inherit, CI Container Inherit, and F full access
as above.
The printer isolation feature has been introduced in Windows 7 and
Windows Server 2008 to not have the printer drivers in the same
process as the spooler. The isolation should add stability for other
user's print jobs.
Exploitation
-------------
When a DLL file from the c:\ProgramData\RICOH_DRV is overwritten in
the right moment by a local attacker, the PrintIsolationHost.exe
process loads the attacker-provided DLL file
below. Afterward, the library code gets executed with
SYSTEM privileges, because the PrintIsolationHost.exe uses SYSTEM
privileges. This attack idea has been implemented in a proof of
concept exploit that is given in a later section of this advisory.
Precondition
-------------
To exploit the vulnerability, an attacker needs access to a Windows
host as a regular user and must be able to install an affected Ricoh
printer driver as well as to add printers, which is usually possible
without administrative access.
Patches and Workaround
-----------------------
Please refer to Ricoh's advisory for mitigations and security
patches. Pentagrid has not reviewed them, yet.
Windows Group policies are a potential workaround. When group
policies are used, there is a group policy to control installing
printer drivers (Windows Settings -> Security Settings -> Local
Policies -> Security Options -> Devices: Prevent Users From Installing
Printer Drivers) and another group policy to control adding printers
(User Configuration -> Administrative Templates -> Control Panel ->
Printers -> Prevent addition of printers). When used, people cannot
install drivers, respectively adding printers.
Credits
--------
This vulnerability has been found by Alexander Pudwill, who also
provided an initial proof of concept exploit in C#. Pentagrid AG
independently validated the findings, fully automated the exploit
process and handled the coordinated disclosure.
Proof of Concept Exploit
-------------------------
An exploit has been publish online at:
<a rel="nofollow" href="https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/">https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/</a>
Contact
--------
Pentagrid AG <advisory () pentagrid ch>
<a rel="nofollow" href="https://pentagrid.ch">https://pentagrid.ch</a>
</pre><p><strong>Attachment:
<a href="att-34/signature_asc.bin"><tt>signature.asc</tt></a></strong>
<em>Description:</em> OpenPGP digital signature</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#34">By Date</a>
<a href="35"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#34">By Thread</a>
<a href="35"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2019-19363 - Local Privilege Escalation in many Ricoh Printer Drivers for Windows</strong> <em>Pentagrid AG (Jan 24)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>
Vulmon