Multiple vulnerabilities in SAPlpd 6.28 Feb 04 2008 09:32PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: SAPlpd
http://www.sap.com
Versions: <= 6.28 (included in SAP GUI 7.10)
Platforms: Windows
Bugs: various vulnerabilities
Exploitation: remote
Date: 04 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

SAPlpd is a small and very old (2001) line printer daemon for Windows
which is included in the SAP GUI package.

#######################################################################

=======
2) Bugs
=======

The daemon is affected by various vulnerabilities which, for brevity,
I have decided to list through the lpd commands (in hex) accepted by
the program:

commands type of bug
01 31 memcpy
02 32 memcpy + sprintf "Receive job for printer %s (berkley protocol)\n"
03 04 33 34 sprintf "QUERY = %s\n" + multiple strcpy
05 35 multiple strcpy
53 server termination

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/saplpdz.zip

#######################################################################

======
4) Fix
======

Vendor contacted, a patch will be released soon.

#######################################################################

---
Luigi Auriemma
http://aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus