Hello all,

I'm working on a set of Intrusion Prevention System (IPS) signatures to
detect and block attempts to exploit the recent "Novell Netware Client
Print Provider Buffer Overflow" in nwspool.dll
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5854>. The vulnerable
functions EnumPrinters() and OpenPrinter() get exposed to anonymous users
through the Spooler service's named pipe "spoolss" These vulnerabilities
are exploitable through RPC network requests to the Spooler service.

I have been unable to find the RPC "program number" for the Spooler
service. Does anyone have this handy? Additionally, having the RPC
"procedure numbers" for the EnumPrinters() and OpenPrinter() calls would be
very helpful.

I could also determine these RPC numbers from looking at a packet capture
of a Netware client calling the EnumPrinters() and OpenPrinter() procedures
through the Spooler service. Anyone care to share a packet capture? I do
not have the ability to easily setup a test environment in order to
generate and capture the desired network traffic.

Any help is greatly appreciated. Just trying to protect all you Netware
users out there ;)

Ben Feinstein, CISSP
Security Researcher
SecureWorks, Inc.