Information Security News mailing list archives
Printer (spooler) Service Vulnerabilities
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Sat, 6 Nov 1999 23:26:09 -0700
http://www.eeye.com/html/advisories/AD11041999.html Printer (spooler) Service Vulnerabilities Release Date: November 4, 1999 Systems Affected: Any NT system with a printer or the ability to print to a network printer. Microsoft Windows NT 4.0 Workstation, Server, Terminal Server (all service packs) Description: It was a typical day in eEye land... the beer was cold, the day was long, the exploit... well the exploit was a joke started by a client. "The day you guys can hack my network via it's printer is the day I call it quits." A joke at first... the ability to remotely and locally compromise an NT network via a printer. What started off as a joke was going to turn into reality. Ten or so minutes after taking a look at the NT printer service we had already found a way to compromise any windows NT server or workstation that had a printer attached to it or the ability to print to a network printer. The Windows NT Spooler service (Spoolss.exe), (used for various printing activities), contains a number of security holes that allow for data overflows. These vulnerabilities are evident when someone passes data to various spooler service API's and spoolss.exe does not check the size of the receiving buffer to make sure it can hold the incoming data. The API, explained in more detail below, can only be exploited locally. However, some of the overflows could be exploited remotely. Example of one of the exploitable API's: First thing to note about the API in question is that it can only be executed if you are a "Power User". So for this example, if you were to write exploit code for this API overflow you could only elevate your access from a Power User to SYSTEM level. Which is still a very bad thing. However, as explained earlier, there are other places where the spooler service overflows and cases that do not require you to be at the power user level. [snip...] ISN is sponsored by Security-Focus.COM
Current thread:
- Printer (spooler) Service Vulnerabilities mea culpa (Nov 06)