Novell Client nwspool.dll EnumPrinters buffer overflow

2008-02-2200:00:00

SAINT Corporation

download.saintcorporation.com

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.439 Medium

EPSS

Percentile

97.0%

JSON

Added: 02/22/2008
CVE: CVE-2008-0639
BID: 27741
OSVDB: 41510

Background

Novell Client software provides NetWare connectivity to Windows platforms.

Problem

The **nwspool.dll** library in Novell Client is affected by a buffer overflow in the **EnumPrinters** function, allowing remote attackers to execute arbitrary commands by sending a specially crafted RPC request to the Spooler service.

Resolution

Apply Novell Client 4.91 Post-SP2/3/4 nwspool.dll 2.

References

<http://www.zerodayinitiative.com/advisories/ZDI-08-005.html>

Limitations

Exploit works on Novell Client for Windows 4.91 SP4 with the 4.91 Post-SP2/3/4 nwspool.dll 1 patch.

In order for the exploit to succeed against Windows Server 2003 targets, a shared printer must be configured, the login and password of an account with administrator privileges must be provided, and the Crypt::DES, Digest::MD4, and Digest::MD5 PERL modules must be installed. These modules are available from <http://cpan.org/modules/by-module/>.