[11381] in bugtraq
Possible Windows 9x Shared Printers Security Hole
daemon@ATHENA.MIT.EDU (Luis Martin-Santos)
Mon Aug 16 21:20:37 1999
Message-Id: <19990815153927.10687.qmail@securityfocus.com>
Date: Sun, 15 Aug 1999 15:39:27 -0000
Reply-To: Luis Martin-Santos <webmaster@PRAETORIANS.NET>
From: Luis Martin-Santos <webmaster@PRAETORIANS.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi to all the comunity!
First of all , this is my first Post to the bugtraq , and
wish it is not the last one. Let4s see the possible hole.
I was running some Windows 95 OSR2.1 Machines on a local
network when I decided to share the NEC Pinwriter printer
in PC1. I Checked on "Allow other users to share my
printers" and reseted to the changes took part.
After all the process done , I tried to install the shared
printer in the PC2 and , for my surprise , I found that the
drivers from the Printer where DOWNLOADED from PC1 . This
can allow a Print Server to execute Arbitrary Code on any
machine.
Since .DRV and .DLL are binary files with integrated
Printer API Calls , malicious user has only to wrap the
Print call in the DLL and insert his/her code instead of
the original one . Note that no user restrictions are used
on w9x , so that code could execute any kind of service or
program . Even a Visual Basic DLL could exploit this
vulnerability.
Well , I have contributed with my part . Hope you all
find either a way to install a printer remotely on W95/98
or a way to fix this problem :))
Bye
webmaster@praetorians.net
