Bugtraq mailing list archives
Re: Possible Windows 9x Shared Printers Security Hole
From: lvhc () URBAN-A NET (x-empt [ lvhc / lou ])
Date: Mon, 16 Aug 1999 18:57:10 -0700
This is not only on Windows 95. I believe it occurs on all Win32s.
It is known and there have been previous messages about this subject and
shared files which are readable.
Try: \\win9xserver\PRINTER$
Currently, I have READ access to my x:\windows\system\ directory on my
Windows 98 box in this share... "oops"
Please read:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-10-29&msg=http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-10-29&msg=CB6657D3A5E0D111A97700805FFE65875D79CA@RED-MSG-51
For more information.
x-empt
Luis Martin-Santos wrote:
Hi to all the comunity!
First of all , this is my first Post to the bugtraq , and
wish it is not the last one. Let´s see the possible hole.
I was running some Windows 95 OSR2.1 Machines on a local
network when I decided to share the NEC Pinwriter printer
in PC1. I Checked on "Allow other users to share my
printers" and reseted to the changes took part.
After all the process done , I tried to install the shared
printer in the PC2 and , for my surprise , I found that the
drivers from the Printer where DOWNLOADED from PC1 . This
can allow a Print Server to execute Arbitrary Code on any
machine.
Since .DRV and .DLL are binary files with integrated
Printer API Calls , malicious user has only to wrap the
Print call in the DLL and insert his/her code instead of
the original one . Note that no user restrictions are used
on w9x , so that code could execute any kind of service or
program . Even a Visual Basic DLL could exploit this
vulnerability.
Well , I have contributed with my part . Hope you all
find either a way to install a printer remotely on W95/98
or a way to fix this problem :))
Bye
webmaster () praetorians net
Current thread:
- Re: DOS against SuSE's identd, (continued)
- Re: DOS against SuSE's identd Danton Nunes (Aug 16)
- Re: DOS against SuSE's identd Volker Wiegand (Aug 17)
- Re: DOS against SuSE's identd Alan Brown (Aug 16)
- AOL Buffer Overflow??? Robert Graham (Aug 16)
- Re: DOS against SuSE's identd Seth R Arnold (Aug 17)
- Re: DOS against SuSE's identd Danton Nunes (Aug 16)
- Mandrake 6.0 .Xauthority Elmer Joandi (Aug 15)
- IE5 ACL protected pages viewable from cache by unauthorized user J.Kent Robinson (Aug 15)
- Re: IE5 ACL protected pages viewable from cache by unauthorized user David Schwartz (Aug 16)
- Possible Windows 9x Shared Printers Security Hole Luis Martin-Santos (Aug 15)
- Re-release: Microsoft Security Bulletin (MS99-029) Aleph One (Aug 16)
- Re: Possible Windows 9x Shared Printers Security Hole x-empt [ lvhc / lou ] (Aug 16)
