RE: Windows NT 4.0 Print Spooler Security

From: Thor@HammerofGod.com
Date: 04/05/02


From: Thor@HammerofGod.com
To: Matthew.van.Eerde@hbinc.com, shartmann@fujifilmesys.com, genius28@gmx.de, focus-ms@securityfocus.com
Date: Fri, 05 Apr 2002 08:35:35 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 08:17 AM 4/5/2002, Matthew.van.Eerde@hbinc.com wrote:
>In my understanding
>C:\Winnt\system32\spool
>is not shared - rather,
>C:\winnt\system32\spool\drivers
>is print$.
>Therefore getting access to the print job spool files is nontrivial - you
>would need administrative access to the print server to get in through
>admin$ or c$, or you would to log on to the server locally. (Please tell me
>your servers are physically secured.)

He already stated that it was admin access... I was clarifying that
'advanced' techniques (such as sniffing, console access, etc) were not
needed. Simple copy and paste methods will provide the functionality he is
trying to stop. Even non-admin access would be available if the attacker
could do a bit of programming, but at that point it does indeed become more
advanced.

>The print queue is not built by copying files from the client to the server.
>Rather, the server builds the spool file based on a TCP/IP conversation with
>the client.

That is not what I was saying-- on the server itself, the client job is
spooled to a file called x.sp_ with an accompanying x.shd shadow file in
the \system32\spool\printers directory. That file, once created on the
server, can just be copied like any other file... Copy, paste, done. You
know what I mean?

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPK3SV4hsmyD15h5gEQJWcgCgqrE/zbYjkEWF/+MZHYt+nG3dVG0Aniu6
F6Cec2DabgQ/SYBD3SVp2E1w
=3G9M
-----END PGP SIGNATURE-----