Bugtraq mailing list archives
Re: Windows (me) printer sharing vulnerability
From: Robert Graham <bugtraq () NETWORKICE COM>
Date: Thu, 26 Oct 2000 21:36:35 -0700
From: Pedram Amini On a side note, is it well known that one can browse through SYSTEM folders simply by connecting to the PRINTER$ share?
Yes. The PRINTER$ issue has been known for a long time. As you've identified, Microsoft put it there in order to make it easier for people to share printers. The ".." traversal problem you searched for did indeed exist in older Windows 95 and was fixed around 1998. However, it would have taken a little longer for you to find it. The Windows CLIENT canonicalizes outgoing paths. In order to force a \\example\PRINTER$\..\color style path, you need a client that won't canonicalize this to \\example\color. One such client is the SAMBA program "smbclient". You can use "smbclient" to attack older Win95 machines that have "File and Printer Sharing" enabled and read (but not write) any file from their drive. FYI: http://www.networkice.com/advice/intrusions/2000503/ However, what you are describing can certainly be extended into a more agressive attack, especially within corporate environments or on cable/DSL segments. Let's take cable for example. Increasingly, most cable providers filter port 139 from the outside world that stops this funny business, but do not filter it within the local environment. You can usually get to File and Print Sharing on your neighbor's machines; and you can often do it using NetBEUI and IPX as well as over TCP/IP. Therefore, simply install a Windows machine that is sharing a printer, and trojan the printer driver that will automatically be installed should they ever attempt to print to your computer. The next step would be trying to convince people to print to your machine. This can be tough. One way is to passively listen to broadcasts on your local segment and see what other printers are being advertised. This has long been a problem on cable-modem segments where people come home one day and find that some joker has printed through all the paper on their printer with completely black pages that eats up toner. Printers are shared a lot. If you listen for such broadcasts, you can "hijack" them and start broadcasting your printer with the same name. Eventually, somebody is going to accidentally go to your printer thinking that they are printing on their local one, load your trojan drivers, and voila. Rob.
Current thread:
- Windows (me) printer sharing vulnerability Pedram Amini (Oct 27)
- Re: Windows (me) printer sharing vulnerability Slawek (Oct 28)
- Re: Windows (me) printer sharing vulnerability Slawek (Oct 30)
- Re: Windows (me) printer sharing vulnerability Robert Graham (Oct 28)
- Re: Windows (me) printer sharing vulnerability Slawek (Oct 28)