CVE-2019-19363
published 2020-01-24CVE-2019-19363: An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected…
PriorityP350high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.57%
90.4th percentile
An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - Version 4.0 or later PS Driver for Universal Print - Version 4.0 or later PC FAX Generic Driver - All versions Generic PCL5 Driver - All versions RPCS Driver - All versions PostScript3 Driver - All versions PCL6 (PCL XL) Driver - All versions RPCS Raster Driver - All version
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ricoh | pcl6_driver_for_universal_print | >= 4.0 < 4.26 | 4.26 |
| ricoh | ps_driver_for_universal_print | >= 4.0 < 4.26 | 4.26 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ricoh Driver - Privilege Escalation (Metasploit)
exploitdb·2020-02-10
CVE-2019-19363 Ricoh Driver - Privilege Escalation (Metasploit)
Ricoh Driver - Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/exe'
class MetasploitModule 'Ricoh Driver Privilege Escalation',
'Description' => %q(
Various Ricoh printer drivers allow escalation of
privileges on Windows systems.
For vulnerable drivers, a low-privileged user can
read/write files within the `RICOH_DRV` directory
and its subdirectories.
`PrintIsolationHost.exe`, a Windows process running
as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
during the installation of a printer. A user can
elevate to SYSTEM by writing a malicious DLL to
the vulnerable driver directory and adding a new
printer with a vulnerable driver.
Th
Exploit-DB
Ricoh Printer Drivers - Local Privilege Escalation
exploitdb·2020-01-22·CVSS 7.8
CVE-2019-19363 [HIGH] Ricoh Printer Drivers - Local Privilege Escalation
Ricoh Printer Drivers - Local Privilege Escalation
---
/*
This proof of concept code monitors file changes on Ricoh's driver DLL files and overwrites
a DLL file before the library is loaded (CVE-2019-19363).
Written by Pentagrid AG, 2019.
Cf. https://pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/
Credits: Alexander Pudwill
This proof of concept code is based on the ReadDirectoryChangesW API call to
get notified about changes on files and directories and reuses parts from the example from
https://www.experts-exchange.com/questions/22507220/ReadDirectoryChangesW-FWATCH-MSDN-sample-not-working.html
*/
#include
#include
#include
#include
#define MAX_BUFFER 4096
int change_counter = 0;
const WCHAR * const BaseDirName = L"C:\\Progra
Metasploit
Ricoh Driver Privilege Escalation
metasploit
Ricoh Driver Privilege Escalation
Ricoh Driver Privilege Escalation
Various Ricoh printer drivers allow escalation of privileges on Windows systems. For vulnerable drivers, a low-privileged user can read/write files within the `RICOH_DRV` directory and its subdirectories. `PrintIsolationHost.exe`, a Windows process running as NT AUTHORITY\SYSTEM, loads driver-specific DLLs during the installation of a printer. A user can elevate to SYSTEM by writing a malicious DLL to the vulnerable driver directory and adding a new printer with a vulnerable driver. This module leverages the `prnmngr.vbs` script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.
No writeups or analysis indexed.
http://jvn.jp/en/jp/JVN15697526/index.htmlhttp://packetstormsecurity.com/files/156082/Ricoh-Printer-Driver-Local-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/156251/Ricoh-Driver-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2020/Jan/34https://www.ricoh.com/info/2020/0122_1/http://jvn.jp/en/jp/JVN15697526/index.htmlhttp://packetstormsecurity.com/files/156082/Ricoh-Printer-Driver-Local-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/156251/Ricoh-Driver-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2020/Jan/34https://www.ricoh.com/info/2020/0122_1/
2020-01-24
Published