Re: Printer Spooler Service Internet Access


Please do NOT add the IP to your list of trusted sites!

http://www.securiteam.com/windowsntfocus/5CP0I00GKW.html

Affected Software:
Microsoft Windows 2000 Service Pack 4 - Download the update
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 - Download the update
Microsoft Windows Server 2003 - Download the update
Microsoft Windows Server 2003 for Itanium-based Systems - Download the
update

Non-Affected Software:
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

CVE Information:
Print Spooler Vulnerability - CAN-2005-1984

Mitigating Factors for Print Spooler Vulnerability - CAN-2005-1984:
* On Windows XP Service Pack 2 and Windows Server 2003, this
vulnerability is restricted to authenticated users. Additionally, in
order for this issue to create a remote attack vector on these
operating system versions, a local user who has appropriate permissions
must first share a printer or try to connect to a shared printer. If no
user with appropriate permissions has shared a printer or tries to
connect to a shared printer, an attacker would have to have valid logon
credentials and must be able to log on locally to exploit this
vulnerability.
* On Windows XP Service Pack 2 and Windows Server 2003, this issue
would result in a denial of service condition. On Windows XP Service
Pack 2 and Windows Server 2003, this issue cannot be exploited for
remote code execution or for elevation of privilege.
On other operating system versions, attacks attempting to exploit this
vulnerability would most likely result in a denial of service
condition. However remote code execution could be possible.
* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.

Workarounds for Print Spooler Vulnerability - CAN-2005-1984:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is
identified in the following section.

* Disable the Print Spooler service
Disabling the Print Spooler service will help protect the affected
system from attempts to exploit this vulnerability. To disable the
Print Spooler service, follow these steps:
1. Click Start, and then click Control Panel. Alternatively, point to
Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Print Spooler.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
You can also stop and disable the Print Spooler service by using the
following command at the command prompt:
sc stop Spooler & sc config Spooler start= disabled
Impact of Workaround: If you disable the Print Spooler service, you
cannot print locally or remotely. Therefore, we recommend this
workaround only on systems that do not require printing.
* On Windows 2000 Server Service Pack 4 remove the Print Spooler
service from the NullSessionPipes registry key:
Affected operating systems that are earlier than Windows 2000 Server
Service Pack 4 allow anonymous connections to the affected service. To
help prevent attempts to exploit this vulnerability by anonymous
attackers, remove the Print Spooler Service from the NullSessionPipes
subkey. This workaround will not prevent attacks from authenticated
users. Use this workaround only if you cannot disable the Printer
Spooler service.
Note Using Registry Editor incorrectly can cause serious problems that
may require that you to reinstall your operating system. Microsoft
cannot guarantee that problems resulting from the incorrect use of
Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to modify the registry, view the "Change Keys
And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add
and Delete Information in the Registry" and "Edit Registry Data" Help
topics in Regedt32.exe.
Note We recommend backing up the registry before you modify it.

1. Click Start, click Run, type "regedt32" (without the quotation
marks), and then click OK.
2. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
3. Edit the registry key and remove the SPOOLSS value.
4. Restart the affected system after performing these actions.
Impact of Workaround: Anonymous connections to the Print Spooler
service will not be allowed. This is the default configuration of later
operating system versions.

FAQ for Print Spooler Vulnerability - CAN-2005-1984:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights. However, attempts to exploit this vulnerability could most
likely result in a denial of service condition.

What causes the vulnerability?
An unchecked buffer in the Print Spooler service.

What is Print Spooler service?
The Print Spooler service, Spoolsv.exe, is an executable file that is
installed as a service. The spooler is loaded when the operating system
starts, and it continues to run until the operating system is shut down.
The Print Spooler service manages the printing process, which includes
such tasks as retrieving the location of the correct printer driver,
loading that driver, spooling high-level function calls into a print
job, and scheduling print jobs. When the tasks for a particular print
job are complete, the Print Spooler service passes the job to the print
router. For more information about the Print Spooler service, visit the
following Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability for remote
code execution could take complete control of the affected system. On
Windows XP Service Pack 2 and Windows Server 2003 this issue would
result in a denial of service condition. On other operating system
versions, attempts to exploit this vulnerability would most likely
result in a denial of service condition. However remote code execution
could be possible.

Who could exploit the vulnerability?
On Windows 2000 and Windows XP Service Pack 1, any anonymous user who
could deliver a specially crafted message to the affected system could
try to exploit this vulnerability. On Windows XP Service Pack 2 and
Windows Server 2003, this vulnerability is restricted to authenticated
users. An authenticated attacker may also be able to log on locally to
a system and attempt to exploit this vulnerability on all affected
operating system versions.

How could an attacker exploit the vulnerability?
An attacker could try to remotely exploit the vulnerability by creating
a specially crafted message and sending the message to an affected
system. The message could then cause the affected system to execute
code on operating system versions and configurations that were
vulnerable to remote attack vectors. By default, Windows 2000 and
Windows XP Service Pack 1 are vulnerable remotely. A remote attack
vector cannot be created on Windows XP SP2 or on Windows Server 2003
unless a user who has appropriate permission shares a printer or tries
to connect to a shared printer.

To locally exploit this vulnerability on all operating system versions,
an attacker would first have to log on to the system. An attacker could
then run a specially-crafted application that could exploit the
vulnerability.

What systems are primarily at risk from the vulnerability?
Windows 2000 and Windows XP Service Pack 1 are primarily at risk from
this vulnerability. Windows XP Service Pack 2 and Windows Server 2003
systems are at a reduced risk because of the additional mitigating
factors that exist on these operating system versions. However, systems
configured as Printer Servers are especially at risk to this
vulnerability.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. End users can visit the Protect Your PC Web site. IT
professionals can visit the Security Guidance Center Web site.

What does the update do?
The update removes the vulnerability by modifying the way that Print
Spooler service validates the length of a message before it passes the
message to the allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any
reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not
seen any examples of proof of concept code published when this security
bulletin was originally issued.


--
renderofveils
------------------------------------------------------------------------
renderofveils's Profile: http://forums.techarena.in/member.php?userid=10250
View this thread: http://forums.techarena.in/showthread.php?t=346078
India Forum - http://forums.techarena.in

.

Relevant Pages