Remote transmission of data when printing locally

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 11/09/02 

Date:         Sat, 9 Nov 2002 07:06:27 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Sent on behalf of an anonymous poster.

---- Begin Original Message ----

Hello Russ,

This email is in regard to a potential bug we identified recently within our NT environment. Our company has numerous sites across the globe and local printers/printer servers at each location. In addition, our employees travel quite often and install local printers at each location. We've consistently tracked active data connections and transmission of data to remote print servers while printing locally.

Example: Joe travels to Toronto, San Francisco, and Boston. At each location Joe installs a local network printer. Since Joe travels constantly and is a typical end user, he does not uninstall printers upon leaving a remote site. At the end of the month Joe now has three printers installed, one for each location. Joe returns back to San Francisco and needs to print. While printing locally to an SF printer an active data connection is opened to both Toronto and Boston. Additionally, each time Joe prints locally packets are sent to the remote print servers.=20

We first started investigating this incident based on an magnified instance of the above scenario. Two users were generating in the upwards of 60MB daily to remote locations. Although the 60MB was the extreme circumstance, our testing does show roughly a 3 to 1 packet ratio during local printing. i.e. 3 packets sent to the local printer and 1 packet sent to EACH remote print server. Each time we print locally an active TCP connection is built to remote print servers. The active connection was confirmed using netstat.

: What we did for testing and escalation
Our test environment consisted of two laptops, one hub, and we utilized our existing corporate network/print servers for testing.
        * Printer servers: Win2k Server SP2 - Win2k and PS drivers used in testing.
        * Laptop: Win2k Pro SP2
        * hub: generic used so we can sniff packets
        * 2nd laptop: ethereal & tcp dump sniffer
        * Corporate Infrastructure: Cisco Catalyst 6500's and 3600 routers. We monitored IP accounting on applicable interfaces.

We conducted a multitude of tests, but we will highlight one specific for this email. The test outlined below was conducted with multiple Microsoft engineers. From the primary laptop we installed Three printers, one local (San Francisco), and two remote (Boston & Toronto).
        * Printer installation: Installed via UNC printer share (\\printserver\printershare).
        * Started Ethereal packet sniffer, set buffer to 10MB
        * Turned IP accounting on for Toronto & Boston Frame interfaces
        * Sent local print job 500k

Observation:

Active data connections built to each print server, only initiated when print job is kicked off. Packets sent to each print server, roughly 3 to 1 ratio. This was not just initial data being sent to the print servers. We continued to print several times and each time more data was sent to remote servers.
        * Ethereal logged packets to all three print servers. The packet types were netbios-ssn & SMB. Microsoft figured they were browser requests, but that was shot down after looking at the sniffer dumps. SYN - ACK packets were found.
        * IP accounting confirmed data being sent to remote locations. The number of packets sent helped to determine the ratio of roughly 3 to 1.

Escalation:

        * We had been working with several Microsoft engineers, performing multiple tests with them, all of which produced similar results as noted above. Although Microsoft confirmed that network traffic was generated to the multiple print servers during local printing, they concluded that this is a browsing feature within the Windows Operating System. However, we feel this is more a bug within the OS and needs to be addressed immediately as this could potentially cause high and unnecessary WAN utilization, especially for companies with a large user base that travels extensively. We are also extremely interested to know if other companies have experienced similar findings. In the meantime, we have submitted a DCR (Design Change Request) to Microsoft for their next release.

P.S. If you do publish this, we prefer that you do not mention our company name. Thanks.

---- End Original Message ----

Of most interest to me is what is in this traffic. It would seem to suggest there is information leakage at least, and possibly authentication leakage opportunities.

Cheers,
Russ - NTBugtraq Editor