|
Vulnerability in Print Spooler Service Allows Remote Code Execution (MS05-043) |
|
|
|
|
Thursday, 11 August 2005 |
Summary
A remote code execution vulnerability exists in the Printer Spooler service that allows an attacker who successfully exploited this vulnerability to take complete control of the affected system.
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS05-043.mspx
Details
Affected Software:
Microsoft Windows 2000 Service Pack 4 - Download the update
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update
Microsoft Windows Server 2003 - Download the update
Microsoft Windows Server 2003 for Itanium-based Systems - Download the update
Non-Affected Software:
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
CVE Information:
Print Spooler Vulnerability - CAN-2005-1984
Mitigating Factors for Print Spooler Vulnerability - CAN-2005-1984:
* On Windows XP Service Pack 2 and Windows Server 2003, this vulnerability is restricted to authenticated users. Additionally, in order for this issue to create a remote attack vector on these operating system versions, a local user who has appropriate permissions must first share a printer or try to connect to a shared printer. If no user with appropriate permissions has shared a printer or tries to connect to a shared printer, an attacker would have to have valid logon credentials and must be able to log on locally to exploit this vulnerability.
* On Windows XP Service Pack 2 and Windows Server 2003, this issue would result in a denial of service condition. On Windows XP Service Pack 2 and Windows Server 2003, this issue cannot be exploited for remote code execution or for elevation of privilege.
On other operating system versions, attacks attempting to exploit this vulnerability would most likely result in a denial of service condition. However remote code execution could be possible.
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Workarounds for Print Spooler Vulnerability - CAN-2005-1984:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Disable the Print Spooler service
Disabling the Print Spooler service will help protect the affected system from attempts to exploit this vulnerability. To disable the Print Spooler service, follow these steps:
1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Print Spooler.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
You can also stop and disable the Print Spooler service by using the following command at the command prompt:
sc stop Spooler & sc config Spooler start= disabled
Impact of Workaround: If you disable the Print Spooler service, you cannot print locally or remotely. Therefore, we recommend this workaround only on systems that do not require printing.
* On Windows 2000 Server Service Pack 4 remove the Print Spooler service from the NullSessionPipes registry key:
Affected operating systems that are earlier than Windows 2000 Server Service Pack 4 allow anonymous connections to the affected service. To help prevent attempts to exploit this vulnerability by anonymous attackers, remove the Print Spooler Service from the NullSessionPipes subkey. This workaround will not prevent attacks from authenticated users. Use this workaround only if you cannot disable the Printer Spooler service.
Note Using Registry Editor incorrectly can cause serious problems that may require that you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to modify the registry, view the "Change Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you modify it.
1. Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
2. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParametersNullSessionPipes
3. Edit the registry key and remove the SPOOLSS value.
4. Restart the affected system after performing these actions.
Impact of Workaround: Anonymous connections to the Print Spooler service will not be allowed. This is the default configuration of later operating system versions.
FAQ for Print Spooler Vulnerability - CAN-2005-1984:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, attempts to exploit this vulnerability could most likely result in a denial of service condition.
What causes the vulnerability?
An unchecked buffer in the Print Spooler service.
What is Print Spooler service?
The Print Spooler service, Spoolsv.exe, is an executable file that is installed as a service. The spooler is loaded when the operating system starts, and it continues to run until the operating system is shut down. The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. When the tasks for a particular print job are complete, the Print Spooler service passes the job to the print router. For more information about the Print Spooler service, visit the following Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability for remote code execution could take complete control of the affected system. On Windows XP Service Pack 2 and Windows Server 2003 this issue would result in a denial of service condition. On other operating system versions, attempts to exploit this vulnerability would most likely result in a denial of service condition. However remote code execution could be possible.
Who could exploit the vulnerability?
On Windows 2000 and Windows XP Service Pack 1, any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability. On Windows XP Service Pack 2 and Windows Server 2003, this vulnerability is restricted to authenticated users. An authenticated attacker may also be able to log on locally to a system and attempt to exploit this vulnerability on all affected operating system versions.
How could an attacker exploit the vulnerability?
An attacker could try to remotely exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code on operating system versions and configurations that were vulnerable to remote attack vectors. By default, Windows 2000 and Windows XP Service Pack 1 are vulnerable remotely. A remote attack vector cannot be created on Windows XP SP2 or on Windows Server 2003 unless a user who has appropriate permission shares a printer or tries to connect to a shared printer.
To locally exploit this vulnerability on all operating system versions, an attacker would first have to log on to the system. An attacker could then run a specially-crafted application that could exploit the vulnerability.
What systems are primarily at risk from the vulnerability?
Windows 2000 and Windows XP Service Pack 1 are primarily at risk from this vulnerability. Windows XP Service Pack 2 and Windows Server 2003 systems are at a reduced risk because of the additional mitigating factors that exist on these operating system versions. However, systems configured as Printer Servers are especially at risk to this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.
What does the update do?
The update removes the vulnerability by modifying the way that Print Spooler service validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|