Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Mon, 11 Feb 2008 19:29:35 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  Larson Software Technology Network Print Server
              http://www.cgmlarson.com/products/NetworkPrintServer.php
Versions:     <= 9.4.2 build 105
Platforms:    Windows
Bugs:         A] format string in logging
              B] license buffer-overflow
Exploitation: remote
Date:         11 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


LstNPS is a CGM print server for Windows.


#######################################################################

=======
2) Bugs
=======

---------------------------
A] format string in logging
---------------------------

The server is affected by a format string vulnerability located in the
logging functions (by default enabled and set on "Information") which
passes the log message directly to vsnprintf without the format
argument.


--------------------------
B] license buffer-overflow
--------------------------

The LICENSE command handled by the server leads to a buffer-overflow
vulnerability when a license string longer than 128 bytes is copied in
a stack buffer using strncpy in the wrong way.


#######################################################################

===========
3) The Code
===========


A]
echo USEP %n%n%n%s%s%s|nc SERVER 3114 -v -v

B]
echo LICENSE aaaaa...160...aaaaa|nc SERVER 3114 -v -v


#######################################################################

======
4) Fix
======


No Fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Prev by Date: Format string and DoS in Opium OPI and cyanPrintIP servers 4.10.x
Next by Date: [ GLSA 200802-03 ] Horde IMP: Security bypass
Previous by thread: Format string and DoS in Opium OPI and cyanPrintIP servers 4.10.x
Next by thread: [ GLSA 200802-03 ] Horde IMP: Security bypass
Index(es):
- Date
- Thread