Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.NOVELL_TID2974765.NASL
HistoryNov 21, 2006 - 12:00 a.m.

Novell NetWare Client Print Provider (nwspool.dll) Multiple Function Overflow

2006-11-2100:00:00
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
www.tenable.com
17
JSON

The file ‘nwspool.dll’ included with the Novell Client software reportedly contains a buffer overflow that can be triggered by long arguments to the Win32 ‘EnumPrinters()’ and ‘OpenPrinter()’ functions.
An anonymous remote attacker may be able to leverage this issue via RPC requests to the Spooler service to execute arbitrary code remotely on the affected host.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(23699);
  script_version("1.19");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id("CVE-2006-5854");
  script_bugtraq_id(21220);

  script_name(english:"Novell NetWare Client Print Provider (nwspool.dll) Multiple Function Overflow");
  script_summary(english:"Checks file version of nwspool.dll");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a DLL that suffers from a buffer
overflow flaw.");
  script_set_attribute(attribute:"description", value:
"The file 'nwspool.dll' included with the Novell Client software
reportedly contains a buffer overflow that can be triggered by long
arguments to the Win32 'EnumPrinters()' and 'OpenPrinter()' functions.
An anonymous remote attacker may be able to leverage this issue via
RPC requests to the Spooler service to execute arbitrary code remotely
on the affected host.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-06-043/");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/453012/100/0/threaded" );
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=3125538" );
  script_set_attribute(attribute:"solution", value:
"Install the 491psp3_nwspool.exe patch file referenced in the vendor
advisory above.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("audit.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");

if (!get_kb_item("SMB/Registry/Enumerated")) exit(1, "KB 'SMB/Registry/Enumerated' not set to TRUE.");


# Unless we're being paranoid, check whether the software's installed.
if (report_paranoia < 2)
{
  subkey = "{Novell Client for Windows}";
  key = string("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/", subkey, "/DisplayName");
  get_kb_item_or_exit(key);
}


# Connect to the appropriate share.
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

# Check the version of nwspool.dll.
winroot = hotfix_get_systemroot();
if (!winroot) exit(1);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:winroot);
dll =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\nwspool.dll", string:winroot);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,share);
}

fh = CreateFile(
  file:dll,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);
info = "";
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);

  # nb: for older versions, the file version will be null.
  if (isnull(ver)) info = "  " + winroot + "\System32\nwspool.dll (unknown file version" + ')\n';
  else
  {
    fix = split("4.91.4.0", sep:'.', keep:FALSE);
    for (i=0; i<4; i++)
      fix[i] = int(fix[i]);

    for (i=0; i<max_index(ver); i++)
      if ((ver[i] < fix[i]))
      {
        version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]);
        info += "  " + winroot + "\System32\nwspool.dll (file version=" + version + ')\n';
        break;
      }
      else if (ver[i] > fix[i])
        break;
  }
}
NetUseDel();


# Issue a report if any vulnerable files were found.
if (info)
{
  if (report_verbosity)
  {
    report = string(
      "The following file(s) are affected :\n",
      "\n",
      info
    );
  }
  else report = NULL;
  security_hole(port:port, extra:report);
}

Related

securityvulns 3
seebug 3
exploitpack 3
cert 1
zdi 1
canvas 1
saint 4
cve 5
checkpoint_advisories 1
exploitdb 3
prion 3
securityvulns
securityvulns
Novell Netware Client multiple security vulnerabilities
2006-12-01 00:00:00
ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability
2006-11-29 00:00:00
Citrix Metaframe Presentation Server / Javvin DiskAccess printer provider buffer overflow
2007-01-25 00:00:00
seebug
seebug
Novell Client 4.91 NWSPOOL.DLL Remote Buffer Overflow Vulnerability
2014-07-01 00:00:00
SSC DiskAccess NFS Client DAPCNFSD.DLL Stack Buffer Overflow Vulnerability
2014-07-01 00:00:00
Multiple Printer Providers (spooler service) Privilege Escalation Exploit
2007-01-30 00:00:00
exploitpack
exploitpack
Novell Client 4.91 - NWSPOOL.dll Remote Buffer Overflow
2006-11-21 00:00:00
SSC DiskAccess NFS Client - DAPCNFSD.dll Remote Stack Buffer Overflow
2007-01-29 00:00:00
Multiple Printer Providers (Spooler Service) - Local Privilege Escalation
2007-01-29 00:00:00
cert
cert
Novell NetWare Client for Windows OpenPrinter() function vulnerable to buffer overflow
2006-12-19 00:00:00
zdi
zdi
Novell Netware Client Print Provider Buffer Overflow Vulnerability
2006-11-29 00:00:00
canvas
canvas
Immunity Canvas: NWSPOOL_A
2006-12-03 19:28:00
saint
saint
Novell Client nwspool.dll buffer overflow
2006-12-01 00:00:00
Novell Client nwspool.dll buffer overflow
2006-12-01 00:00:00
Novell Client nwspool.dll buffer overflow
2006-12-01 00:00:00
cve
cve
CVE-2006-5854
2006-12-03 19:28:00
CVE-2007-2954
2007-08-31 22:17:00
CVE-2006-6114
2006-11-26 22:07:00
checkpoint_advisories
checkpoint_advisories
Novell Client Print Provider Multiple Functions Buffer Overflow (CVE-2006-5854)
2007-02-07 00:00:00
exploitdb
exploitdb
SSC DiskAccess NFS Client - &#039;DAPCNFSD.dll&#039; Remote Stack Buffer Overflow
2007-01-29 00:00:00
Novell Client 4.91 - &#039;NWSPOOL.dll&#039; Remote Buffer Overflow
2006-11-21 00:00:00
Multiple Printer Providers (Spooler Service) - Local Privilege Escalation
2007-01-29 00:00:00
prion
prion
Stack overflow
2007-08-31 22:17:00
Stack overflow
2008-02-13 21:00:00
Buffer overflow
2007-01-31 21:28:00
JSON
Related for NOVELL_TID2974765.NASL
securityvulns3seebug3exploitpack3cert1zdi1canvas1saint4cve5checkpoint_advisories1exploitdb3prion3