Vulnerability Identifier: CAN-2005-1984
Discovery Date: Aug 9, 2005
Risk: Critical
Vulnerability Assessment Pattern File: 031
Affected Software:
  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 for Itanium-based Systems
  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 1
  • Windows XP Service Pack 2
Description:

This security advisory resolves the newly-discovered vulnerability in the print spooler. The print spooler service is the file SPOOLSV.EXE that is installed as a service. This is launched upon operating system (OS) startup and is terminated when the OS shuts down. This service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. When the tasks for a particular print job are complete, the service passes the job to the print router. For more information on the print spooler service, you may visit this site.

The print spooler service is exploited because it does not perform a check on the length of the message before passing it to the allocated buffer. A specially-crafted message can cause a buffer overflow in the print spooler service. This overflow can be exploited in order to execute arbitrary code.

Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system. However, attempts to exploit this vulnerability could most likely result to a denial of service condition.

The malicious user or a malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.

This vulnerability can be exploited by a remote malicious attacker or a malware by:

  • Internet/Network-based attack scenario:

    In a network-based attack scenario, the target computer needs to have a shared printer. Then, the attacker/malware can send a specially-crafted message to the target computer. The attacker/malware could try to remotely exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code on operating system versions and configurations that were vulnerable to remote attack vectors. By default, Windows 2000 and Windows XP Service Pack 1 are vulnerable remotely. A remote attack vector cannot be created on Windows XP SP2 or on Windows Server 2003 unless a user who has appropriate permission shares a printer or tries to connect to a shared printer.

  • Local machine attack scenario:

    The user will have to log on locally with the proper credentials and run a specially-crafted application in order to exploit this vulnerability.


Patch Information:

Patches for this vulnerability are available at the following links:

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Microsoft Windows Server 2003

Microsoft Windows Server 2003 for Itanium-based Systems


Workaround Fixes:

  • Disabling the Print Spooler service

    The Printer Spooler service can be disabled by performing the following instructions:

    1. Click Start>Settings>Control Panel.
    2. Double-click Administrative Tools.
    3. In Administrative Tools, double-click Services.
    4. In Services, double-click Printer Spooler.
    5. In the Startup type list, click Disabled.
    6. Click Stop, and then click OK.

    Alternatively, the Printer Spooler can be disabled by entering the following command in the Command Prompt:

    sc stop Spooler & sc config Spooler start= disabled
    

    Impact of Workaround: Disabling the Printer Spooler service also prevents a system from printing locally or remotely. The said workaround is only recommended for systems that do not require printing

  • Removing the Print Spooler service from the NullSessionPipes registry

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, locate the following registry key:
      HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
      Services>LanmanServer>Parameters>NullSessionPipes
    3. Still in the left panel, locate and delete the following key:
      SPOOLSS
    4. Restart your computer.

    Impact of Workaround: Anonymous connections to the Printer Spooler service is disabled.