NT Spooler Subject to Overflows
Reported November 4, 1999 by
eEYE
VERSIONS EFFECTED
  • Microsoft Windows NT 4.0 Workstation, Server, Terminal Server (all service packs)

DESCRIPTION

The eEye Digital Security Team has discovered a problem with Windows NT"s print spooler service. According to the information provided by eEYE:

"It was a typical day in eEye land... the beer was cold, the day was long, the exploit... well the exploit was a joke started by a client. "The day you guys can hack my network via it"s printer is the day I call it quits." A joke at first... the ability to remotely and locally compromise an NT network via a printer. What started off as a joke was going to turn into reality. Ten or so minutes after taking a look at the NT printer service we had already found a way to compromise any Windows NT Server or Workstation that had a printer attached to it or the ability to print to a network printer.

The Windows NT Spooler service (Spoolss.exe), (used for various printing activities), contains a number of security holes that allow for data overflows. These vulnerabilities are evident when someone passes data to various spooler service API"s and spoolss.exe does not check the size of the receiving buffer to make sure it can hold the incoming data. The API, explained in more detail below, can only be exploited locally. However, some of the overflows could be exploited remotely."

DEMONSTRATION

First thing to note about the API in question is that it can only be executed if you are a "Power User". So for this example, if you were to write exploit code for this API overflow you could only elevate your access from a Power User to SYSTEM level. Which is still a very bad thing. However, as explained earlier, there are other places where the spooler service overflows and cases that do not require you to be at the power user level.

----spoolss.c----
#include <windows.h>
int main()
\{
  char bigbuffer\[3000\];
  int i;
  strcpy(bigbuffer,"\\\\");
    for(i=0;i<2000;i++)
       strcat(bigbuffer,"A");
  AddPrintProcessor(NULL,NULL,bigbuffer,bigbuffer);
  return(0);
\}
----spoolss.c----

In this example, the overflow is in AddPrintProcessor. When "bigbuffer" is passed to the spooler service, it tries to stuff 2000 instances of the character "A" into a buffer that cannot handle an amount of data that size and therefore overflows. Also you will notice when it overflows that EIP is 00410041. This is because the bytes have been changed into wide byte (Unicode) format. Do not be deceived by this... it is still exploitable. :-\]

There exists another vulnerability in the spooler service that allows any local user to load their own dll"s and have them executed by the spooler service with SYSTEM level access therefore allowing any local user to gain total control of the local machine.

The vulnerability is in AddPrintProvidor(). Microsoft has a very good description in their advisory of what a print provider is and why the vulnerability exists and other detailed information. So instead of regurgitating that information we will give you detailed information on exploiting the hole and an example exploit including source.

Samples available here
http://www.eeye.com/html/Advisories/spoolsploit.zip
or here
http://www.ntsecurity.net/security/tools/spoolsploit.zip

A brief word about w00giving:

w00giving is being put on by none other then the security team w00w00. w00giving is a joint effort of various security groups and individuals who are going to be releasing advisories,exploits and tools through out November and into December. eEye is participating in w00giving so over the next few weeks of November we plan to release either an advisory or tool once a week. This printer advisory is our first offering and we hope you enjoy it.

VENDOR RESPONSE

Fixes are available from Microsoft for Intel and Alpha. A Terminal Server patch will be released shortly. Be sure to read Support Online article Q243649 (not yet available as of 1pm CST on Nov. 4.)

CREDITS
Reported by
eEYE
Posted here at NTSecurity.NET on November 4, 1999