CVE-2010-2729
published 2010-09-15CVE-2010-2729: The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and…
PriorityP181critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.64%
99.5th percentile
The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka "Print Spooler Service Impersonation Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect DCE/RPC bind requests to the Print Spooler interface UUID 12345678-1234-abcd-EF00-0123456789ab over the \PIPE\spoolss named pipe, especially from remote/unauthenticated sources. ↗
- →Alert on new .mof files appearing in %SystemRoot%\system32\wbem\mof\ — exploitation drops a crafted .mof file there to achieve code execution via WMI auto-processing. ↗
- →Alert on new .exe files written to %SystemRoot%\system32\ via the Print Spooler RPC path (StartDocPrinter/WritePrinter sequence targeting system32). ↗
- →This technique is the same as used by Stuxnet; correlate with known Stuxnet indicators when investigating Print Spooler exploitation. ↗
- ·Exploitation requires printer sharing to be enabled on the target; if printer sharing is disabled, the attack surface is eliminated. ↗
- ·The PNAME option allows targeting a specific printer share; if not specified, the module enumerates all shares via \PIPE\LANMAN — detection should cover both targeted and enumeration-based attack patterns. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h544-vrh7-5wgw: The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and
ghsa_unreviewed·2022-05-14
CVE-2010-2729 [HIGH] CWE-20 GHSA-h544-vrh7-5wgw: The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and
The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka "Print Spooler Service Impersonation Vulnerability."
VulnCheck
Microsoft Windows Improper Input Validation
vulncheck·2010·CVSS 9.3
CVE-2010-2729 [CRITICAL] Microsoft Windows Improper Input Validation
Microsoft Windows Improper Input Validation
The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka "Print Spooler Service Impersonation Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?
No detection rules found.
Exploit-DB
Microsoft Windows - Print Spooler Service Impersonation (MS10-061) (Metasploit)
exploitdb·2011-02-17
CVE-2010-2729 Microsoft Windows - Print Spooler Service Impersonation (MS10-061) (Metasploit)
Microsoft Windows - Print Spooler Service Impersonation (MS10-061) (Metasploit)
---
##
# $Id: ms10_061_spoolss.rb 11766 2011-02-17 19:22:11Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/windows_error'
require 'msf/core/exploit/wbemexec'
class Metasploit3 'Microsoft Print Spooler Service Impersonation Vulnerability',
'Description' => %q{
This module exploits the RPC service impersonation vulnerability detailed in
Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the
StartDocPrinter procedure, an attacker can impersona
Metasploit
MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
metasploit
MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability
This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatical
No writeups or analysis indexed.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-061https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7358https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-061https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7358
2010-09-15
Published
Exploited in the wild