BugTraq
Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105 Feb 11 2008 06:29PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: Larson Software Technology Network Print Server
http://www.cgmlarson.com/products/NetworkPrintServer.php
Versions: <= 9.4.2 build 105
Platforms: Windows
Bugs: A] format string in logging
B] license buffer-overflow
Exploitation: remote
Date: 11 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

LstNPS is a CGM print server for Windows.

#######################################################################

=======
2) Bugs
=======

---------------------------
A] format string in logging
---------------------------

The server is affected by a format string vulnerability located in the
logging functions (by default enabled and set on "Information") which
passes the log message directly to vsnprintf without the format
argument.

--------------------------
B] license buffer-overflow
--------------------------

The LICENSE command handled by the server leads to a buffer-overflow
vulnerability when a license string longer than 128 bytes is copied in
a stack buffer using strncpy in the wrong way.

#######################################################################

===========
3) The Code
===========

A]
echo USEP %n%n%n%s%s%s|nc SERVER 3114 -v -v

B]
echo LICENSE aaaaa...160...aaaaa|nc SERVER 3114 -v -v

#######################################################################

======
4) Fix
======

No Fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus