The Opium OPI Server versions 4.10.1028 and below along with a large amount of cyanPrintIP products suffer from a format string vulnerability in ReportSysLogEvent as well as a server crash flaw.
73f875d8944de4b42d99e9155d5fd14c3284bed1f200ad31d230dea4ef1f673d
#######################################################################
Luigi Auriemma
Applications: Opium OPI Server
http://www.cyansoftware.com/Opium_OPI.htm
cyanPrintIP Easy OPI
http://www.cyansoftware.com/cyanPrintIP_Easy_OPI.htm
cyanPrintIP
http://www.cyansoftware.com/cyanPrintIP.htm
Versions: Opium OPI Server <= 4.10.1028
cyanPrintIP Easy OPI <= 4.10.1030
cyanPrintIP Professional <= 4.10.1030
cyanPrintIP Workstation <= 4.10.836
cyanPrintIP Standard <= 4.10.940
cyanPrintIP Basic <= 4.10.1030
Platforms: Windows
Bugs: A] format string in ReportSysLogEvent
B] service crash through "Send queue state" commands
Exploitation: remote
Date: 11 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Opium and cyanPrintIP are a family of LPD products for the network
sharing of printers.
#######################################################################
=======
2) Bugs
=======
-------------------------------------
A] format string in ReportSysLogEvent
-------------------------------------
The LPD servers are affected by a format string vulnerability in the
ReportSysLogEvent function used for logging.
The best way for exploiting this vulnerability is through a malformed
queue name which will be used to build a "Print queue" error message
directly passed to vsprintf without the needed format argument.
After the exploitation will be created a dump and the server will be
automatically restarted by the Restart process.
----------------------------------------------------
B] service crash through "Send queue state" commands
----------------------------------------------------
The servers are not able to handle the two "Send queue state" LPD
commands (3 and 4) when received at the beginning of the connection, so
when not expected by it.
The result is the immediate crash/termination of the server which will
be not restarted automatically.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/cyanuro.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed