Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105

2008-02-12T00:00:00
ID SECURITYVULNS:DOC:19085
Type securityvulns
Reporter Securityvulns
Modified 2008-02-12T00:00:00

Description

                         Luigi Auriemma

Application: Larson Software Technology Network Print Server http://www.cgmlarson.com/products/NetworkPrintServer.php Versions: <= 9.4.2 build 105 Platforms: Windows Bugs: A] format string in logging B] license buffer-overflow Exploitation: remote Date: 11 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org

1) Introduction 2) Bugs 3) The Code 4) Fix

=============== 1) Introduction ===============

LstNPS is a CGM print server for Windows.

======= 2) Bugs =======


A] format string in logging

The server is affected by a format string vulnerability located in the logging functions (by default enabled and set on "Information") which passes the log message directly to vsnprintf without the format argument.


B] license buffer-overflow

The LICENSE command handled by the server leads to a buffer-overflow vulnerability when a license string longer than 128 bytes is copied in a stack buffer using strncpy in the wrong way.

=========== 3) The Code ===========

A] echo USEP %n%n%n%s%s%s|nc SERVER 3114 -v -v

B] echo LICENSE aaaaa...160...aaaaa|nc SERVER 3114 -v -v

====== 4) Fix ======

No Fix


Luigi Auriemma http://aluigi.org