Published: 15/09/2010 Updated: 26/02/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 990
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when printer sharing is enabled, does not properly validate spooler access permissions, which allows remote malicious users to create files in a system directory, and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010, aka "Print Spooler Service Impersonation Vulnerability."

Vulnerability Trend


## # $Id: ms10_061_spoolssrb 11766 2011-02-17 19:22:11Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' requi ...

Nmap Scripts


Tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.

nmap  -p 445 <target> --script=smb-vuln-ms10-061

PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack

Metasploit Modules

MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes to a directory used by Windows Management Instrumentation (WMI) to deploy applications. This directory (Wbem\Mof) is periodically scanned and any new .mof files are processed automatically. This is the same technique employed by the Stuxnet code found in the wild.

msf > use exploit/windows/smb/ms10_061_spoolss
      msf exploit(ms10_061_spoolss) > show targets
      msf exploit(ms10_061_spoolss) > set TARGET <target-id>
      msf exploit(ms10_061_spoolss) > show options
            ...show and set options...
      msf exploit(ms10_061_spoolss) > exploit

Github Repositories

No description, website, or topics provided.

Recent Articles

Kaspersky Security Bulletin 2010. Statistics, 2010
Securelist • Alexander Gostev Yury Namestnikov • 17 Feb 2011

This section of the report forms part of Kaspersky Security Bulletin 2010 and is based on data obtained and processed using the Kaspersky Security Network (KSN). KSN integrates cloud-based technologies into personal and corporate products and is one of Kaspersky Lab’s most important innovations.
KSN assists Kaspersky Lab’s experts to swiftly detect new malware in real-time, when no corresponding signature or heuristic detection exists for these threats. KSN helps identify sources of ma...