{PRL} Novell Iprint LPD Remote Code Execution Vulnerability

{PRL}

#####################################################################################

Application:   Novell Iprint LPD Remote Code Execution Vulnerability

Platforms:   Linux

Exploitation:   Remote code execution

CVE Number:   CVE-2010-4328

Novell TID: 7007858.

ZDI: ZDI-11-087

{PRL}:   2011-01

Author:   Francis Provencher (Protek Research Lab's)

Blog:   http://www.protekresearchlab.com/

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code

#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in Waltham, Massachusetts.

The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare;

identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse.

Novell was instrumental in making the Utah Valley a focus for technology and software development.

Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing

model and changed computing worldwide. Today, a primary focus of the company is on developing open source software

for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline
============================

2010-12-01 - Vulnerability reported to vendor
2011-02-16 - Coordinated public release of advisory

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Server.

Authentication is not required to exploit this vulnerability.

The flaw exists within the '/opt/novell/iprint/bin/ipsmd' component this component communicates with

'ilprsrvd' which listens on TCP port 515. When handling multiple LPR opcodes the process blindly copies user supplied data

into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code

under the context of the iprint user.

#####################################################################################

===========
4) POC
===========

Here

#####################################################################################