Microsoft Windows Print Spooler service code execution (MSRPC_Spoolss_GetDocPrinter_Exec)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects a SPOOLSS request for GetDocPrinter containing a malformed filename.


False positives

Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: False positives can occur as the request may be normal on rare occasions.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 30.090, Proventia Desktop: 2560, RealSecure Server Sensor: XPU 30.090, RealSecure Network: XPU 30.090, Proventia Network IDS: XPU 30.090, Proventia-G 1.1 and earlier: XPU 30.090, Proventia Network MFS: XPU 30.090, IBM Security Server Protection for Windows: 2.1.14.2560, Proventia Server IPS for Linux technology: 30.090, Virtual Server Protection for Vmware: XPU 30.090

Systems affected

Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict user permissions to access print spoolers by the Print Spooler service. By sending a specially-crafted print request to a vulnerable machine with its Print Spooler interface exposed over RPC, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS10-061. See References.

References

Microsoft Security Bulletin MS10-061
Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx

Offensive Security Exploit Database [02-11-2011]
Microsoft Print Spooler Service Impersonation Vulnerability
http://www.exploit-db.com/exploits/16361/

ISS X-Force
Microsoft Windows Print Spooler service code execution
http://www.iss.net/security_center/static/61503.php

CVE
CVE-2010-2729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729