####################################################################### Luigi Auriemma Application: Larson Software Technology Network Print Server http://www.cgmlarson.com/products/NetworkPrintServer.php Versions: <= 9.4.2 build 105 Platforms: Windows Bugs: A] format string in logging B] license buffer-overflow Exploitation: remote Date: 11 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== LstNPS is a CGM print server for Windows. ####################################################################### ======= 2) Bugs ======= --------------------------- A] format string in logging --------------------------- The server is affected by a format string vulnerability located in the logging functions (by default enabled and set on "Information") which passes the log message directly to vsnprintf without the format argument. -------------------------- B] license buffer-overflow -------------------------- The LICENSE command handled by the server leads to a buffer-overflow vulnerability when a license string longer than 128 bytes is copied in a stack buffer using strncpy in the wrong way. ####################################################################### =========== 3) The Code =========== A] echo USEP %n%n%n%s%s%s|nc SERVER 3114 -v -v B] echo LICENSE aaaaa...160...aaaaa|nc SERVER 3114 -v -v ####################################################################### ====== 4) Fix ====== No Fix #######################################################################