Re: Windows (me) printer sharing vulnerability

[Robert Graham <bugtraq () NETWORKICE COM>]

> From: Pedram Amini
> On a side note, is it well known that one can browse through SYSTEM folders
> simply by connecting to the PRINTER$ share?

Yes.

The PRINTER$ issue has been known for a long time. As you've identified,
Microsoft put it there in order to make it easier for people to share
printers.

The ".." traversal problem you searched for did indeed exist in older
Windows 95 and was fixed around 1998. However, it would have taken a little
longer for you to find it. The Windows CLIENT canonicalizes outgoing paths.
In order to force a \\example\PRINTER$\..\color style path, you need a
client that won't canonicalize this to \\example\color. One such client is
the SAMBA program "smbclient". You can use "smbclient" to attack older Win95
machines that have "File and Printer Sharing" enabled and read (but not
write) any file from their drive.
FYI: http://www.networkice.com/advice/intrusions/2000503/


However, what you are describing can certainly be extended into a more
agressive attack, especially within corporate environments or on cable/DSL
segments. Let's take cable for example. Increasingly, most cable providers
filter port 139 from the outside world that stops this funny business, but
do not filter it within the local environment. You can usually get to File
and Print Sharing on your neighbor's machines; and you can often do it using
NetBEUI and IPX as well as over TCP/IP.

Therefore, simply install a Windows machine that is sharing a printer, and
trojan the printer driver that will automatically be installed should they
ever attempt to print to your computer.

The next step would be trying to convince people to print to your machine.
This can be tough. One way is to passively listen to broadcasts on your
local segment and see what other printers are being advertised. This has
long been a problem on cable-modem segments where people come home one day
and find that some joker has printed through all the paper on their printer
with completely black pages that eats up toner. Printers are shared a lot.
If you listen for such broadcasts, you can "hijack" them and start
broadcasting your printer with the same name. Eventually, somebody is going
to accidentally go to your printer thinking that they are printing on their
local one, load your trojan drivers, and voila.

Rob.