CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.3%
Novell iPrint Client version older than 5.44 is installed on the remote host. Such versions are reportedly affected by multiple remote code execution vulnerabilities:
A buffer overflow was discovered in how iPrint client handles the ‘call-back-url’ parameter value for a ‘op-client-interface-version’ operation where the ‘result-type’ parameter is set to ‘url’.
An uninitialized pointer vulnerability in ienipp.ocx was discovered and allows an attacker to exploit an issue where the uninitialized pointer is called and the process jumps to an address space controllable by the attacker.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(48407);
script_version("1.18");
script_cvs_date("Date: 2018/11/15 20:50:27");
script_cve_id("CVE-2010-1527", "CVE-2010-3105");
script_bugtraq_id(42576);
script_xref(name:"Secunia", value:"40805");
script_name(english:"Novell iPrint Client < 5.44 Multiple Vulnerabilities");
script_summary(english:"Checks version of Novell iPrint Client");
script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by multiple
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"Novell iPrint Client version older than 5.44 is installed on the
remote host. Such versions are reportedly affected by multiple remote
code execution vulnerabilities:
- A buffer overflow was discovered in how iPrint client
handles the 'call-back-url' parameter value for a
'op-client-interface-version' operation where the
'result-type' parameter is set to 'url'.
- An uninitialized pointer vulnerability in ienipp.ocx
was discovered and allows an attacker to exploit an
issue where the uninitialized pointer is called and
the process jumps to an address space controllable
by the attacker.");
script_set_attribute(attribute:"see_also", value:"http://dvlabs.tippingpoint.com/advisory/TPTI-10-08");
script_set_attribute(attribute:"see_also",value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2010-104/");
script_set_attribute(attribute:"see_also",value:"http://download.novell.com/Download?buildid=H-2-uHNc5-A~");
script_set_attribute(attribute:"see_also",value:"https://support.microfocus.com/kb/doc.php?id=7006679");
script_set_attribute(attribute:"solution", value:
"Upgrade to Novell iPrint Client 5.44 or later.
Note that there is no fix available for Novell iPrint Client 4.x
branch so users should consider upgrading to 5.44 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');
script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/19");
script_set_attribute(attribute:"patch_publication_date", value:"2010/08/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:iprint");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
winroot = hotfix_get_systemroot();
if (!winroot) exit(1, "The 'SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRoot' KB item is missing.");
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:winroot);
dll = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\nipplib.dll", string:winroot);
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL,share);
}
fh = CreateFile(file:dll,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (isnull(fh))
{
NetUseDel();
exit(0, "The file '"+winroot+"\System32\nipplib.dll' does not exist.");
}
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
NetUseDel();
# Check the version number.
if (!isnull(ver))
{
# Version that is not vulnerable.
fixed_version_ui = "5.44";
version = ver[0] + "." + ver[1] + ver[2];
if (ver_compare(ver:ver, fix:'5.4.4.0') == -1)
{
if (report_verbosity > 0)
{
report =
'\n File : ' + winroot + "\System32\nipplib.dll" +
'\n Installed version : ' + version +
'\n Fixed version : ' + fixed_version_ui + '\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else exit(0, ""+(share-'$')+":"+dll+"' version "+version+" is installed and hence not vulnerable.");
}
else exit(1, "Can't get the file version of '"+(share-'$')+":"+dll+"'.");
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1527
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3105
download.novell.com/Download?buildid=H-2-uHNc5-A~
dvlabs.tippingpoint.com/advisory/TPTI-10-08
secuniaresearch.flexerasoftware.com/secunia_research/2010-104/
support.microfocus.com/kb/doc.php?id=7006679