[11393] in bugtraq
Re: Possible Windows 9x Shared Printers Security Hole
daemon@ATHENA.MIT.EDU (x-empt [ lvhc / lou ])
Tue Aug 17 19:45:34 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <37B8C176.40EE6B2A@urban-a.net>
Date: Mon, 16 Aug 1999 18:57:10 -0700
Reply-To: "x-empt [ lvhc / lou ]" <lvhc@URBAN-A.NET>
From: "x-empt [ lvhc / lou ]" <lvhc@URBAN-A.NET>
X-To: Luis Martin-Santos <webmaster@PRAETORIANS.NET>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is not only on Windows 95. I believe it occurs on all Win32s.
It is known and there have been previous messages about this subject and
shared files which are readable.
Try: \\win9xserver\PRINTER$
Currently, I have READ access to my x:\windows\system\ directory on my
Windows 98 box in this share... "oops"
Please read:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-10-29&msg=CB6657D3A5E0D111A97700805FFE65875D79CA@RED-MSG-51
For more information.
x-empt
Luis Martin-Santos wrote:
>
> Hi to all the comunity!
>
> First of all , this is my first Post to the bugtraq , and
> wish it is not the last one. Let4s see the possible hole.
>
> I was running some Windows 95 OSR2.1 Machines on a local
> network when I decided to share the NEC Pinwriter printer
> in PC1. I Checked on "Allow other users to share my
> printers" and reseted to the changes took part.
>
> After all the process done , I tried to install the shared
> printer in the PC2 and , for my surprise , I found that the
> drivers from the Printer where DOWNLOADED from PC1 . This
> can allow a Print Server to execute Arbitrary Code on any
> machine.
>
> Since .DRV and .DLL are binary files with integrated
> Printer API Calls , malicious user has only to wrap the
> Print call in the DLL and insert his/her code instead of
> the original one . Note that no user restrictions are used
> on w9x , so that code could execute any kind of service or
> program . Even a Visual Basic DLL could exploit this
> vulnerability.
>
> Well , I have contributed with my part . Hope you all
> find either a way to install a printer remotely on W95/98
> or a way to fix this problem :))
>
> Bye
>
> webmaster@praetorians.net
