Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-160: Microsoft Windows Print Spooler 'EnumeratePrintShares()' Remote Stack Buffer Overflow Vulnerability

[CVE-2009-0228]

June 12, 2009 13:00 GMT
PROBLEM: Remote exploitation of a stack buffer overflow vulnerability in Windows 2000 print spooler.
PLATFORM: Windows 2000
ABSTRACT: Remote exploitation of a stack buffer overflow vulnerability in Microsoft Corp.'s Windows 2000 operating system could allow an unauthenticated attacker to execute arbitrary code with system-level privileges. This vulnerability exists in the EnumeratePrintShares function in win32spl.dll. The vulnerable function does not correctly validate the length of the printer server's response. When a malformed response is received from the printer server, the stack buffer can be overflowed, resulting in an exploitable condition.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-160.shtml
  OTHER LINKS: CVE-2009-0228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0228
Scurity Focus
http://www.securityfocus.com/archive/1/504242/30/0/threaded
NIST
http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx
IMPACT ASSESSMENT This risk is rated high. Exploitation allows a remote attacker to execute arbitrary code with system-level privileges. 
[***** Start CVE-2009-0228 *****]

Workaround:
Consider disabling the print spooler service; however, by doing this, users cannot print locally or remotely.

For hosts that do need the print spooler service running, disable
anonymous connections to the service by removing the print spooler service from following registry key:  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes
Remove 'SPOOLSS' from the registry key. This will allow only
authenticated access to the print spooler service, disabling the vector for anonymous attack.

Alternatively, ports 139, 445, 631 both UDP and TCP can be firewalled. This will largely prevent access to any print
services remotely on a host system.

Solution
An update is available. Refer to link below for additional information.

Patch information:

http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx

[***** End CVE-2009-0228 *****]
DOE-CIRC wishes to acknowledge the contributions of Jun Mao of VeriSign iDefense Labs for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788