SPOOLSS.EXE memory leak

Aleph One (aleph1@DFW.NET)
Mon, 25 Aug 1997 12:51:45 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter: "Serious security flaw in rpc.mountd on several operating systems."
Previous message: Evil Pete: "Re: Backdoor Paper"

---------- Forwarded message ----------
Date: Thu, 21 Aug 1997 11:50:51 +0200
From: Holas, Ond鷫j <OHolas@EXCH.DIGI-TRADE.CZ>
To: NTBUGTRAQ@NTADVICE.COM
Subject: SPOOLSS.EXE memory leak

After connecting to \\server\PIPE\SPOOLSS you can send probably any
amount of data to that pipe. Final effect is a memory leak in
SPOOLSS.EXE. The worst thing is, by default this connection can be
initiated over null-session (setting RestrictAnonymous to 1 has no
effect). To disable attack over null-session, you must remove line
"SPOOLSS" from
HKLM\System\CCS\Services\LanmanServer\Parameters\NullSessionPipes
(REG_MULTI_SZ), but after that authenticated users can still fill up
server's memory.

If you want source of leaking program and binary, simply send mail to
oholas@exch.digi-trade.cz and put "SPOOLSS REQUEST" (without quotation
marks) as a message subject.

Ondrej Holas, MCSE, MCT
DIGI TRADE
Prague, Czech Republic

Next message: Peter: "Serious security flaw in rpc.mountd on several operating systems."
Previous message: Evil Pete: "Re: Backdoor Paper"