lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080211192843.26f5bb5e.aluigi@autistici.org>
Date: Mon, 11 Feb 2008 19:28:43 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Format string and DoS in Opium OPI and
	cyanPrintIP servers 4.10.x


#######################################################################

                             Luigi Auriemma

Applications: Opium OPI Server
                http://www.cyansoftware.com/Opium_OPI.htm
              cyanPrintIP Easy OPI
                http://www.cyansoftware.com/cyanPrintIP_Easy_OPI.htm
              cyanPrintIP
                http://www.cyansoftware.com/cyanPrintIP.htm
Versions:     Opium OPI Server <= 4.10.1028
              cyanPrintIP Easy OPI <= 4.10.1030
              cyanPrintIP Professional <= 4.10.1030
              cyanPrintIP Workstation <= 4.10.836
              cyanPrintIP Standard <= 4.10.940
              cyanPrintIP Basic <= 4.10.1030
Platforms:    Windows
Bugs:         A] format string in ReportSysLogEvent
              B] service crash through "Send queue state" commands
Exploitation: remote
Date:         11 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Opium and cyanPrintIP are a family of LPD products for the network
sharing of printers.


#######################################################################

=======
2) Bugs
=======

-------------------------------------
A] format string in ReportSysLogEvent
-------------------------------------

The LPD servers are affected by a format string vulnerability in the
ReportSysLogEvent function used for logging.
The best way for exploiting this vulnerability is through a malformed
queue name which will be used to build a "Print queue" error message
directly passed to vsprintf without the needed format argument.

After the exploitation will be created a dump and the server will be
automatically restarted by the Restart process.


----------------------------------------------------
B] service crash through "Send queue state" commands
----------------------------------------------------

The servers are not able to handle the two "Send queue state" LPD
commands (3 and 4) when received at the beginning of the connection, so
when not expected by it.

The result is the immediate crash/termination of the server which will
be not restarted automatically.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/cyanuro.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ