|Windows Printer Sharing Vulnerability|
One of the new "features" of Windows ME that immediately caught my eye was that
as soon as I got networking up and running it had gone ahead and created
shortcuts to all visible network shares and installed all networked printers
without even hassling me with one "are you sure" dialog. How nice.
At first glance it appeared to be nothing more then an annoyance. Later I came
to thinking that naturally host machines must keep a list of files needed to
install their printer. What if we were to replace one of these files with a
trojan? Or perhaps add a trojan onto this list of files?
After some searching I found this:
Within this key lies a list of installed printers. Within a printers key lies a
binary value named "Dependent Files" which contains a null (00) separated and
double null (00 00) ending list of files that must be transferred to a client in
order for this printer to work for them.
Replacing any of these files or adding files to the list will cause them to be
transferred to a client if they choose to install your printer (or in the case
of Windows ME automatically). Paths are preserved on file transfers. Ex: from
SYSTEM to SYSTEM and from SYSTEM\color to SYSTEM\color. So big deal, you can put
a trojan on the clients machine but how can you execute it? This is the part
that I can't find a solid answer to. To the best of my knowledge files can only
be placed in the SYSTEM folder or its subfolders.
Here are some of the ideas I came up with given this limitation:
(1) Replace an
existing file that runs at startup. The problem with this method is that most
(if not all) files that start automatically with windows are still running and
therefore cannot be overwritten.
(2) Replace a system file that will eventually be run. This can be done and can
be done silently by creating a small wrapper program that contains version
information claiming to be newer then the target binary. However, when will this
file be run? I don't have the patience to wait. Of course this can also be used
as a DoS attack since an attacker can silently overwrite any binary that is not
currently running. The best candidate for replacement I found is the "uninstall"
executable which probably has the highest chance of being run since the annoyed
victim will probably want to remove the printer that ME decided he needed.
(3) Start the trojan through the installation. Not to sure about this one but at
least one printer (notably the Compaq IJ200) displays a small license agreement
window directly after installation. Surely there must be a way to automatically
start something else.
(4) Replace the files necessary for printing. Maybe the user likes your printer
and feels like printing something. The printing monitor executable for example
would have to run on every print, this can be replaced or even wrapped with a
trojan. This in combination with replacing the "uninstall" executable will
probably give you the best chance of success.
After countless attempts at trying to put the trojan in a location other then
the SYSTEM folder I
gave up. If someone figures out a way, do share I'd be very interesting in
hearing the solution.
Here is what I tried: (1) ".." in Dependent Files key. Doesn't work. But did
answer another question of mine. I was wondering earlier in the process how
windows knew to look in SYSTEM and install in SYSTEM. The answer is that it uses
the hidden system share PRINTER$ which points to the system folder. So a
"..\folder" simply refers to \\MACHINE\folder (another share) instead of
\\MACHINE\PRINTER$\..\folder (windows\folder) as I had hoped.
(2) ".." plus a share named "start menu". Long shot, and it didn't work.
(3) Share another folder as PRINTER$ It works on my end, I can refer to files in
my startup folder (I want to copy a file to victims startup folder). However,
the victims PRINTER$ still points to SYSTEM and hence will not copy files into
another directory up the hierarchy.
The easy fix to this problem is disabling the "Automatically search for network
folders and printer" option which can be found under "tools\folder options".