cbcvebase.
CVE-2010-2729
published 2010-09-15

CVE-2010-2729: The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and…

PriorityP181critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.64%
99.5th percentile
The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka "Print Spooler Service Impersonation Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

path%SystemRoot%\system32\wbem\mof\
path\PIPE\spoolss
commandRpcStartDocPrinter (opnum 17)
commandRpcWritePrinter (opnum 19)
commandNetrJobAdd RPC call via \PIPE\ATSVC
  • Detect DCE/RPC bind requests to the Print Spooler interface UUID 12345678-1234-abcd-EF00-0123456789ab over the \PIPE\spoolss named pipe, especially from remote/unauthenticated sources.
  • Alert on new .mof files appearing in %SystemRoot%\system32\wbem\mof\ — exploitation drops a crafted .mof file there to achieve code execution via WMI auto-processing.
  • Alert on new .exe files written to %SystemRoot%\system32\ via the Print Spooler RPC path (StartDocPrinter/WritePrinter sequence targeting system32).
  • This technique is the same as used by Stuxnet; correlate with known Stuxnet indicators when investigating Print Spooler exploitation.
  • ·Exploitation requires printer sharing to be enabled on the target; if printer sharing is disabled, the attack surface is eliminated.
  • ·The PNAME option allows targeting a specific printer share; if not specified, the module enumerates all shares via \PIPE\LANMAN — detection should cover both targeted and enumeration-based attack patterns.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.