[guru] Novell biztonsagi frissitesek
DATE: Wed, 25 Aug 2010 11:48:25 +0200
A Novell iPrint kliens op-client-interface-version művelete stack buffer
overflow hibát tartalmaz a call-back-url paraméter feldolgozásakor.
Szintén az iPrint klienst érintő hiba, hogy az ienipp.ocx ActiveX vezérlő
inicializálatlan mutatókat is meghivatkozik, így a támadó könnyen kódot
futtathat a rendszeren.
--- Begin Message ---
======================================================================
Secunia Research 20/08/2010
- Novell iPrint Client "call-back-url" Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Novell iPrint Client 5.42
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"Novell iPrint extends print services securely across multiple
networks and operating systems. Using proven Internet technologies,
iPrint transforms your Novell Distributed Print Services? (NDPS®)
printers into Net-enabled printers, making all your printing resources
instantly accessible with a Web browser and a few mouse clicks".
Product Link:
http://www.novell.com/products/openenterpriseserver/iprint.html
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Novell iPrint
Client, which can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused by a boundary error in the handling of the
"call-back-url" parameter value for a "op-client-interface-version"
operation where the "result-type" parameter is set to "url". This can
be exploited to cause a stack-based buffer overflow via an overly long
"call-back-url" parameter value.
Successful exploitation allows execution of arbitrary code when a user
visits a malicious website.
======================================================================
5) Solution
Update to version 5.44.
======================================================================
6) Time Table
03/08/2010 - Vendor notified.
03/08/2010 - Vendor response.
16/08/2010 - Vendor provides status update.
20/08/2010 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-1527 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-104/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
--- End Message ---
--- Begin Message ---
TPTI-10-08: Novell iPrint Client Browser PluginGetDriverFile Uninitialized Pointer Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-08
August 23, 2010
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Novell
-- Affected Products:
Novell iPrint
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10264.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Novell iPrint client. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page.
The specific flaw exists within the ienipp.ocx ActiveX control with
CLSID 36723f97-7aa0-11d4-8919-FF2D71D0D32C. The function exposes a
GetDriverFile method. When this method is invoked for the first time a
pointer in the .data section is mapped to an external function within
another module. When invoked the second time, the process fails to load
the library and assumes the pointer is still valid. When the
uninitialized pointer is called the process jumps to an address space
easily controlled by an attacker. This can be leveraged to execute
remote code under the context of the user running the browser.
-- Vendor Response:
Novell has issued an update to correct this vulnerability. More
details can be found at:
http://download.novell.com/Download?buildid=H-2-uHNc5-A~
-- Disclosure Timeline:
2010-08-12 - Vulnerability reported to vendor
2010-08-23 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Aaron Portnoy, TippingPoint DVLabs
--- End Message ---