[5177] in bugtraq
SPOOLSS.EXE memory leak
daemon@ATHENA.MIT.EDU (Aleph One)
Mon Aug 25 14:10:43 1997
Date: Mon, 25 Aug 1997 12:51:45 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
Date: Thu, 21 Aug 1997 11:50:51 +0200
From: Holas, Ond=F8ej <OHolas@EXCH.DIGI-TRADE.CZ>
To: NTBUGTRAQ@NTADVICE.COM
Subject: SPOOLSS.EXE memory leak
After connecting to \\server\PIPE\SPOOLSS you can send probably any
amount of data to that pipe. Final effect is a memory leak in
SPOOLSS.EXE. The worst thing is, by default this connection can be
initiated over null-session (setting RestrictAnonymous to 1 has no
effect). To disable attack over null-session, you must remove line
"SPOOLSS" from
HKLM\System\CCS\Services\LanmanServer\Parameters\NullSessionPipes
(REG_MULTI_SZ), but after that authenticated users can still fill up
server's memory.
If you want source of leaking program and binary, simply send mail to
oholas@exch.digi-trade.cz and put "SPOOLSS REQUEST" (without quotation
marks) as a message subject.
Ondrej Holas, MCSE, MCT
DIGI TRADE
Prague, Czech Republic
