iPrint Client: nipplpt.sys NULL DACL Applied To Registry Configuration Information
Platform: iPrint Client 5.99, tested on Windows 8.1 Update 32
Class: Elevation of Privilege

Summary:
The nipplpt.sys driver uses some registry configuration data to initialize it’s spool path. The registry settings are installed with a NULL DACL meaning any user can modify them and leading to the potential for elevation of privilege for any user on the system. 

Description:

When the nipplpt driver first creates a new device object (in the IRP_MJ_CREATE handler) it initializes the spool path and platform configuration from the registry. As these settings are in HKEY_LOCAL_MACHINE they should be protected from modification by a normal user, however the install process marks them with a NULL DACL which means any user on the system can modify them. 


It’s possible to abuse this to modify the spool directory location to somewhere the user can modify (ignoring the fact that the spool directory is already accessible because of another issue). This can lead to an elevation of privilege as it’s possible to modify the spool directory into a mount point which acts as a symbolic link. Through this it’s possible to get the nipplpt driver to create an arbitrary file anywhere on the file system, this could be used to add WMI MOF configurations or plant DLLs which would allow a normal user to elevate to a local system administrator. 

In mitigation the settings are only ever read once so the attack would have to be done prior to any application opening a new device. 

Proof of Concept:

I’ve not provided a PoC here as it would be roughly the same as the PoC from the NULL DACL for files/directories. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.