===================================================================== CERT-Renater Note d'Information No. 2010/VULN471 _____________________________________________________________________ DATE : 19/11/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Windows running Novell iPrint Client. ====================================================================== http://www.novell.com/support/viewContent.do?externalId=7007234 http://www.zerodayinitiative.com/advisories/ZDI-10-256/ ______________________________________________________________________ Security Vulnerability - Novell iPrint Client server-address Remote Code Execution Vulnerability This document (7007234) is provided subject to the disclaimer at the end of this document. Environment Novell iPrint Client for Windows 5.52 Situation This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Resolution Reported to Novell engineering. Status Reported to Engineering Security Alert Additional Information ZDI-CAN-895: "Novell iPrint Client Browser Plugin Remote File Deletion Vulnerability." This vulnerability was found by Anonymous, TippingPoint DVLabs. CVE assignment pending. Document Document ID: 7007234 Creation Date: 11-18-2010 Modified Date: 11-18-2010 Novell Product: iPrint Disclaimer The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information. _______________________________________________________________________ Novell iPrint Activex GetDriverSettings Remote Code Execution Vulnerability ZDI-10-256: November 18th, 2010 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors Novell Affected Products iPrint TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10670. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within the ienipp.ocx component. When handling the exposed method a GetDriverSettings call is made into nipplib!IppGetDriverSettings2 where the process will blindly copy user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser. Vendor Response Novell states: TID 7007234 (http://www.novell.com/support/viewContent.do?externalId=7007234). Disclosure Timeline 2010-11-15 - Vulnerability reported to vendor 2010-11-18 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================