[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080204223259.9b364f1d.aluigi@autistici.org>
Date: Mon, 4 Feb 2008 22:32:59 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Multiple vulnerabilities in SAPlpd 6.28
#######################################################################
Luigi Auriemma
Application: SAPlpd
http://www.sap.com
Versions: <= 6.28 (included in SAP GUI 7.10)
Platforms: Windows
Bugs: various vulnerabilities
Exploitation: remote
Date: 04 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
SAPlpd is a small and very old (2001) line printer daemon for Windows
which is included in the SAP GUI package.
#######################################################################
=======
2) Bugs
=======
The daemon is affected by various vulnerabilities which, for brevity,
I have decided to list through the lpd commands (in hex) accepted by
the program:
commands type of bug
01 31 memcpy
02 32 memcpy + sprintf "Receive job for printer %s (berkley protocol)\n"
03 04 33 34 sprintf "QUERY = %s\n" + multiple strcpy
05 35 multiple strcpy
53 server termination
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/saplpdz.zip
#######################################################################
======
4) Fix
======
Vendor contacted, a patch will be released soon.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Powered by blists - more mailing lists