Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105
#######################################################################
Luigi Auriemma
Application: Larson Software Technology Network Print Server
http://www.cgmlarson.com/products/NetworkPrintServer.php
Versions: <= 9.4.2 build 105
Platforms: Windows
Bugs: A] format string in logging
B] license buffer-overflow
Exploitation: remote
Date: 11 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
LstNPS is a CGM print server for Windows.
#######################################################################
=======
2) Bugs
=======
---------------------------
A] format string in logging
---------------------------
The server is affected by a format string vulnerability located in the
logging functions (by default enabled and set on "Information") which
passes the log message directly to vsnprintf without the format
argument.
--------------------------
B] license buffer-overflow
--------------------------
The LICENSE command handled by the server leads to a buffer-overflow
vulnerability when a license string longer than 128 bytes is copied in
a stack buffer using strncpy in the wrong way.
#######################################################################
===========
3) The Code
===========
A]
echo USEP %n%n%n%s%s%s|nc SERVER 3114 -v -v
B]
echo LICENSE aaaaa...160...aaaaa|nc SERVER 3114 -v -v
#######################################################################
======
4) Fix
======
No Fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org