seekrit_stash/PrintNightmare
seekrit_stash
/
PrintNightmare
2
2
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Update README.md

This commit is contained in:
lxf 2021-06-29 14:01:20 +08:00 committed by GitHub
parent fd70f1c1fd
commit 1877235648
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -68,7 +68,7 @@ Clearly, if an attacker can bypass the authentication of RpcAddPrinterDriver. He
![img](./img/rootcause.png)
ValidateObjectAccess is a normal security check for Spooler Service. But in line 19 and 20, argument a4 and a7 is user controllable. So, a normal user can bypass the security check and add an driver. If you are in the domain, a normal domain user can connect to the Spooler service in the DC and install a driver into the DC. Then he can fully control the Domain.
ValidateObjectAccess is a normal security check for Spooler Service. But in line 19 and 20, argument a4 is user controllable. So, a normal user can bypass the security check and add an driver. If you are in the domain, a normal domain user can connect to the Spooler service in the DC and install a driver into the DC. Then he can fully control the Domain.