('binary' encoding is not supported, stored as-is) All, I have a customer who is developing some printer driver code to allow custom driver settings (n-up, booklet, duplex etc.) to be saved up to the server to be retrieved by other users. The data is being written, by a printer driver (using the logged on users authentication, to a registry key) HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\{Driver Name}\{Custom Key}\Subkey). The question is, what are the security risks of allowing users to write to this key? The data is string data, in the form of delimited numeric values. This data is then retrieved by capable printer drivers and interpreted. The risks as I see it are twofold; (1) The risks of a compromise to the server using this registry key. I think this is unlikeley as the server itself does not use this data, only client PC's do. Unless someone knows a way to travel out of a hive up the registry bypassing the permissions set using regedt32. (2) The risks of a compromise to the client (far more likely). This would probably be by a malformed or extremely long string in the key value, which would presumably lead to either DOS or system compromise by buffer overflow on the client system. Does anyone else have any thoughts on this? Richard Bartlett Hacker Immunity Ltd
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 10:19:07 PDT