Possible Windows 9x Shared Printers Security Hole

[webmaster () PRAETORIANS NET (Luis Martin-Santos)]

  Hi to all the comunity!

  First of all , this is my first Post to the bugtraq , and 
wish it is not the last one. Let´s see the possible hole.

  I was running some Windows 95 OSR2.1 Machines on a local 
network when I decided to share the NEC Pinwriter printer 
in PC1. I Checked on "Allow other users to share my 
printers" and reseted to the changes took part. 

After all the process done , I tried to install the shared 
printer in the PC2 and , for my surprise , I found that the 
drivers from the Printer where DOWNLOADED from PC1 . This 
can allow a Print Server to execute Arbitrary Code on any 
machine.

 Since .DRV and .DLL are binary files with integrated 
Printer API Calls , malicious user has only to wrap the 
Print call in the DLL and insert his/her code instead of 
the original one . Note that no user restrictions are used 
on w9x , so that code could execute any kind of service or 
program . Even a Visual Basic DLL could exploit this 
vulnerability.

    Well , I have contributed with my part . Hope you all 
find either a way to install a printer remotely on W95/98 
or a way to fix this problem :))

    Bye

    webmaster () praetorians net