Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1997: SPOOLSS.EXE memory leak

SPOOLSS.EXE memory leak

Aleph One (aleph1DFW.NET)
Mon, 25 Aug 1997 12:51:45 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter: "Serious security flaw in rpc.mountd on several operating systems."
Previous message: Evil Pete: "Re: Backdoor Paper"

---------- Forwarded message ----------
Date: Thu, 21 Aug 1997 11:50:51 +0200
From: Holas, Ondøej <OHolasEXCH.DIGI-TRADE.CZ>
To: NTBUGTRAQNTADVICE.COM
Subject: SPOOLSS.EXE memory leak

After connecting to \\server\PIPE\SPOOLSS you can send probably any
amount of data to that pipe. Final effect is a memory leak in
SPOOLSS.EXE. The worst thing is, by default this connection can be
initiated over null-session (setting RestrictAnonymous to 1 has no
effect). To disable attack over null-session, you must remove line
"SPOOLSS" from
HKLM\System\CCS\Services\LanmanServer\Parameters\NullSessionPipes
(REG_MULTI_SZ), but after that authenticated users can still fill up
server's memory.

If you want source of leaking program and binary, simply send mail to
oholasexch.digi-trade.cz and put "SPOOLSS REQUEST" (without quotation
marks) as a message subject.

Ondrej Holas, MCSE, MCT
DIGI TRADE
Prague, Czech Republic

Next message: Peter: "Serious security flaw in rpc.mountd on several operating systems."
Previous message: Evil Pete: "Re: Backdoor Paper"