Microsoft Windows Print Spooler service buffer overflow (MSRPC_Srvsvc_Netname_Bo)

About this signature or vulnerability

IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects specially crafted responses from Microsoft Server Service operations (15). Malicious constructs in the net name values can lead to a buffer overflow and code execution.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2400, IBM Security Server Protection for Windows: 2.0.300.2400, Proventia Network IDS: XPU 29.060, Proventia-G 1.1 and earlier: XPU 29.060, Proventia Network MFS: XPU 29.060, RealSecure Server Sensor: XPU 29.060, RealSecure Network: XPU 29.060, Proventia Network IPS: XPU 29.060, Proventia Desktop: 2400, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.060

Systems affected

Microsoft Windows 2000: SP4

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the EnumeratePrintShares function when validating the length of the printer server's response. By connecting to the print spooler service, a remote attacker could send a specially-crafted RPC request to overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the application to crash.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS09-022. See References.

References

Microsoft Security Bulletin MS09-022
Vulnerabilities in the Windows Print Spooler Could Allow Remote Code Execution (961501)
http://www.microsoft.com/technet/security/bulletin/ms09-022.mspx

iDefense PUBLIC ADVISORY: 06.09.09
Microsoft Windows 2000 Print Spooler Remote Stack Buffer Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=806

NORTEL BULLETIN ID: 2009009558, Rev 1
Nortel Response to Microsoft Security Bulletin MS09-022
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=932810&poid=

ISS X-Force
Microsoft Windows Print Spooler service buffer overflow
http://www.iss.net/security_center/static/50763.php

CVE
CVE-2009-0228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0228