[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080211192843.26f5bb5e.aluigi@autistici.org>
Date: Mon, 11 Feb 2008 19:28:43 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
packet@...ketstormsecurity.org
Subject: Format string and DoS in Opium OPI and
cyanPrintIP servers 4.10.x
#######################################################################
Luigi Auriemma
Applications: Opium OPI Server
http://www.cyansoftware.com/Opium_OPI.htm
cyanPrintIP Easy OPI
http://www.cyansoftware.com/cyanPrintIP_Easy_OPI.htm
cyanPrintIP
http://www.cyansoftware.com/cyanPrintIP.htm
Versions: Opium OPI Server <= 4.10.1028
cyanPrintIP Easy OPI <= 4.10.1030
cyanPrintIP Professional <= 4.10.1030
cyanPrintIP Workstation <= 4.10.836
cyanPrintIP Standard <= 4.10.940
cyanPrintIP Basic <= 4.10.1030
Platforms: Windows
Bugs: A] format string in ReportSysLogEvent
B] service crash through "Send queue state" commands
Exploitation: remote
Date: 11 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Opium and cyanPrintIP are a family of LPD products for the network
sharing of printers.
#######################################################################
=======
2) Bugs
=======
-------------------------------------
A] format string in ReportSysLogEvent
-------------------------------------
The LPD servers are affected by a format string vulnerability in the
ReportSysLogEvent function used for logging.
The best way for exploiting this vulnerability is through a malformed
queue name which will be used to build a "Print queue" error message
directly passed to vsprintf without the needed format argument.
After the exploitation will be created a dump and the server will be
automatically restarted by the Restart process.
----------------------------------------------------
B] service crash through "Send queue state" commands
----------------------------------------------------
The servers are not able to handle the two "Send queue state" LPD
commands (3 and 4) when received at the beginning of the connection, so
when not expected by it.
The result is the immediate crash/termination of the server which will
be not restarted automatically.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/cyanuro.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists