Follow:

Vulnerability:Win/PrintSpooler.NetShare.RCE!CVE-2009-0228

Severity rating
Critical

Class/Type
Vulnerability

Discovered date
2009-06-09T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

A remote code execution vulnerability exists in the Windows Print Spooler that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.



Impact

An attacker who successfully exploited this vulnerability could run arbitrary code on a user's system with system privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.



Technical details (analysis)

The Print Spooler service is an executable file that is installed as a service. The spooler is loaded when the operating system starts, and it continues to run until the operating system is shut down. The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. When the tasks for a particular print job are complete, the Print Spooler service passes the job to the print router. For more information, see the TechNet article, How Network Printing Works. For remote code execution to occur, an attacker would first need to set up a malicious print server that can be accessed by an affected system. The attacker could then send a specially crafted RPC request to the affected system that would cause the affected system to improperly parse the ShareName on the attacker's print server during enumeration. This would allow the attacker to perform remote code execution on the affected system with system-level privileges.



Affected software

Microsoft Windows 2000 Service Pack 4



Non-affected software

All applications not on the affected list



References




Solutions




NIS signature

Name: Vulnerability:Win/PrintSpooler.NetShare.RCE!CVE-2009-0228
Release Date: 2009-06-09T00:00:00



Known false positives

No known false positives at this time



Work-arounds

Block TCP ports 139 and 445 at the firewall
Disable the Print Spooler service