MS10-061 is one of the four vulnerabilities exploited by Stuxnet worm. The vulnerability lies in Windows Print Spooler service. By sending a crafted print request over RPC, a remote user can execute arbitrary code on the system using the service
The vulnerability derives from RpcStartDocPrinter(Opnum 17) function
DOC_INFO_CONTAINER structure contains pDocInfo1 pointer to DOC_INFO_1 structure:
pOutputFile: An optional pointer to a string that specifies the name of an output file. As the file’s extension specified by pOutputFile is totally not controlled, the file written can be in any format, including executable file. Then once the RpcWritePrinter( Opnum 19) procedure is called, data will be written on the output file.
So, by exploiting RpcStartDocPrinter and RpcWritePrinter, a remote user might write a file with arbitrary content onto the vulnerable system (the working directory is %SystemRoot%\\system32).
The problem to the attacker is how to execute the crafted file. HD Moore from Metasploit found out that NetrJobAdd( Opnum 0) function is extremely suitable for this task.
By using the AT_INFO structure passed to this function, a remote user can “plan” to execute the file created in system32 before.
This vulnerability has been fixed in Microsoft Security Bulletin for September 2010, Windows users should get their systems updated with the patch.
Le Manh Tung
Senior Security Researcher