HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-73
Multiple Vulnerabilities in Windows Print Spooler

Original Issue Date:June 11, 2009

Severity Rating: High

Systems Affected

  • Windows 2000 SP4
  • Windows XP SP2 and Windows XP SP3
  • Windows XP Professional x64 Edition SP2
  • Windows Server 2003 SP2
  • Windows Server 2003 x64 Edition SP2
  • Windows Server 2003 for Itanium-based Systems with SP2
  • Windows Vista SP2 and prior
  • Windows Vista x64 Edition SP2 and prior
  • Windows Server 2008 for 32-bit Systems SP2 and prior (including server core)
  • Windows Server 2008 for x64-based Systems SP2 and prior (including server core)
  • Windows Server 2008 for Itanium-based Systems SP2 and prior

Overview

Multiple vulnerabilities have been reported in Microsoft Windows Print Spooler which could allow attackers to read any file on the local system, execute arbitrary code on the system w ith elevated privileges and take complete control over the system.

Description

The Print Spooler service is an executable file that is installed as a service. The spooler is loaded when the operating system starts, and it continues to run until the operating system is shut down. The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. When the tasks for a particular print job are complete, the Print Spooler service passes the job to the print router.

 

1. Buffer Overflow Vulnerability (CVE-2009-0228)

This is a remote code execution vulnerability that exists due to improper validation of data structures within network requests. The Print Spooler service fails to properly check the length of data within requests, and the processing of overly long parameters could trigger a buffer overflow. An unauthenticated, remote attacker could exploit this vulnerability by sending the affected system a malicious request containing overly large parameters. The processing of the request could trigger a buffer overflow, causing memory corruption that the attacker could leverage to execute arbitrary code with the elevated privileges of the Print Spooler service.

Workarounds

  • Block TCP ports 139 and 445 at the firewall
  • On Microsoft Windows 2000 Server Service Pack 4, remove the Print Spooler service from the NullSessionPipes registry key
  • Disable the Print Spooler service, if not required

For detailed steps and impact of applying these workarounds refer to Microsoft Security Bulletin MS09-022

2. Print Spooler Read File Vulnerability (CVE-2009-0229)

This is an Information Disclosure vulnerability that exists due to insufficient security restrictions on printer separator pages. The   Print Spooler   service does not limit the files that could be specified as a separator page. An authenticated, local attacker with the   Manage Printer   privilege could exploit this vulnerability by sending a request to the system and specifying any file from the local system as a separator file. As a result, the user could view or print any file on the local system, possibly resulting in the disclosure of sensitive information.

Workaround

  • Disable the Print Spooler service, if not required

3. Print Spooler Load Library Vulnerability (CVE-2009-0230)

This is an elevation of privilege vulnerability that exists due to improper security restrictions on libraries used by the   Print Spooler   service. An authenticated, remote attacker could exploit this vulnerability by sending a request designed to load a malicious library to the targeted system. The attacker may attempt to store the library on the target system or on an accessible network share. When the service loads the library, the service may execute arbitrary code contained in the library.

Successful exploitation of this vulnerability could execute arbitrary code with the same rights as the Windows Print Spooler and take complete control of an affected system.

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx

References

SecurityFocus
http://www.securityfocus.com/bid/35208
http://www.securityfocus.com/bid/35209

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022352.html

Secunia
http://secunia.com/advisories/35365/

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=18415
http://tools.cisco.com/security/center/viewAlert.x?alertId=18416
http://tools.cisco.com/security/center/viewAlert.x?alertId=18417

VUPEN
http://www.vupen.com/english/advisories/2009/1541

CVE Name
CVE-2009-0228
CVE-2009-0229
CVE-2009-0230

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003