spoolss.txt

`Printer (spooler) Service Vulnerabilities  
  
Systems Affected:  
  
Any NT system with a printer or the ability to print to a network printer.  
Microsoft Windows NT 4.0 Workstation, Server, Terminal Server (all service  
packs)  
  
Release Date:  
  
November 4, 1999  
  
Advisory Code:  
  
AD11041999  
  
Description:  
  
It was a typical day in eEye land... the beer was cold, the day was long,  
the exploit... well the exploit was a joke started by a client. "The day you  
guys can hack my network via it's printer is the day I call it quits." A  
joke at first... the ability to remotely and locally compromise an NT  
network via a printer. What started off as a joke was going to turn into  
reality. Ten or so minutes after taking a look at the NT printer service we  
had already found a way to compromise any windows NT server or workstation  
that had a printer attached to it or the ability to print to a network  
printer.  
  
The Windows NT Spooler service (Spoolss.exe), (used for various printing  
activities), contains a number of security holes that allow for data  
overflows. These vulnerabilities are evident when someone passes data to  
various spooler service API's and spoolss.exe does not check the size of the  
receiving buffer to make sure it can hold the incoming  
data. The API, explained in more detail below, can only be exploited  
locally. However, some of the overflows could be exploited remotely.  
  
Example of one of the exploitable API's:  
  
First thing to note about the API in question is that it can only be  
executed if you are a "Power User". So for this example, if you were to  
write exploit code for this API overflow you could only elevate your access  
from a Power User to SYSTEM level. Which is still a very bad thing. However,  
as explained earlier, there are other places where the spooler service  
overflows and cases that do not require you to be at the power user level.  
  
----spoolss.c----  
#include <windows.h>  
#include <winspool.h>  
  
int main()  
{  
char bigbuffer[3000];  
int i;  
  
strcpy(bigbuffer,"\\\\");  
for(i=0;i<2000;i++)  
strcat(bigbuffer,"A");  
AddPrintProcessor(NULL,NULL,bigbuffer,bigbuffer);  
return(0);  
  
}  
----spoolss.c----  
  
In this example, the overflow is in AddPrintProcessor. When "bigbuffer" is  
passed to the spooler service, it tries to stuff 2000 instances of the  
character "A" into a buffer that cannot handle an amount of data that size  
and therefore overflows. Also you will notice when it overflows that EIP is  
00410041. This is because the bytes have been changed into wide byte  
(Unicode) format. Do not be deceived by this... it is still exploitable. :-]  
  
There exists another vulnerability in the spooler service that allows any  
local user to load their own dll's and have them executed by the spooler  
service with SYSTEM level access therefore allowing any local user to gain  
total control of the local machine.  
  
The vulnerability is in AddPrintProvidor(). Microsoft has a very good  
description in their advisory of what a print provider is and why the  
vulnerability exists and other detailed information. So instead of  
regurgitating that information we will give you detailed information on  
exploiting the hole and an example exploit including source.  
  
http://www.eeye.com/html/Advisories/spoolsploit.zip  
  
A brief word about w00giving:  
w00giving is being put on by none other then the security team w00w00.  
w00giving is a joint effort of various security groups and individuals who  
are going to be releasing advisories,exploits and tools through out November  
and into December. eEye is participating in w00giving so over the next few  
weeks of November we plan to release either an advisory or tool once a week.  
This printer advisory is our first offering and we hope you enjoy it.  
  
Fixes:  
  
X86:  
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-U  
S/Q243649.exe  
Alpha:  
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/ALPHA/EN  
-US/Q243649.exe  
Windows NT 4.0 Server, Terminal Server Edition: To be released shortly  
  
Related Links:  
  
Retina - The Network Security Scanner  
http://www.eEye.com/retina/  
Smarter. Faster. Sexier.  
  
w00w00 - w00giving  
http://www.datasurge.net/www.w00w00.org/  
  
Greetings:  
Attrition,w00w00,beavuh,ADM,Rhino9,L0pht,Wiretrip, and HNN. krystalia  
1971-1999  
  
Copyright (c) 1999 eEye Digital Security Team  
  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without express consent of  
eEye. If you wish to reprint the whole  
or any part of this alert in any other medium excluding electronic medium,  
please e-mail [email protected] for permission.  
  
Disclaimer:  
  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There are  
NO warranties with regard to this information. In no event shall the author  
be liable for any damages whatsoever arising out of or in connection with  
the use or spread of this information. Any use of this information is at the  
user's own risk.  
  
Please send suggestions, updates, and comments to:  
  
eEye Digital Security Team  
  
[email protected]  
www.eEye.com  
  
`