SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Multiple vulnerabilities in WinCom LPD Total 3.0.2.623


Arrow  SecurityAlert : 4610
Arrow  CVE : CVE-2008-5158
Arrow  CVE : CVE-2008-5159
Arrow  CVE : CVE-2008-5176
Arrow  CWE : CWE-287
Arrow  CWE : CWE-189
Arrow  CWE : CWE-119
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : No
Arrow  Credit : Luigi Auriemma
Arrow  Published : 20.11.2008

Arrow  Affected Software : clientsoftware:wincome_mpd_total:3.0.2.623 and previous versions



Arrow  Advisory Content :  

#######################################################################

Luigi Auriemma

Application: WinCom LPD Total - Line Printer Daemon
http://clientsoftware.com.au/lpd.html
Versions: <= 3.0.2.623
Platforms: Windows
Bugs: A] buffer-overflow in control filename
B] remote administration bypassing
C] integer memcpy crash in remote administration
D] buffer-overflow in remote administration
Exploitation: remote
Date: 04 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

WinCom LPD Total (wincomlpd) is a commercial line printer daemon for
Windows.

#######################################################################

=======
2) Bugs
=======

--------------------------------------
A] buffer-overflow in control filename
--------------------------------------

wincomlpd is affected by a buffer-overflow vulnerability exploitable
during the building of an error string caused by the impossibility of
creating the file specified by the client.

The queues of remote printers are not affected by the problem.

----------------------------------
B] remote administration bypassing
----------------------------------

The administration service which runs on port 13500 is used by the
local and remote admins for managing the wincomlpd server.

The problem here is very simple: the authentication method used by
the program is practically unexistent.
In short an attacker can manage the wincomlpd server without knowing
the admin username and password but simply skipping the auth stage.

This bug can be exploited in at least two ways: writing an alternative
client (the protocol is enough simple so it's not a problem) or just
modifying the admin client program (LPDAdmin.exe).

------------------------------------------------
C] integer memcpy crash in remote administration
------------------------------------------------

The 8 and 16 bit values used in the remote administration protocol for
specifying respectively the length of the strings (like the printer's
name to add) and the size of the data block are signed integers.

That allows an attacker to crash the remote wincomlpd service simply
using negative values like 0x80 or 0xff for the 8 bits numbers and
0x8000 or 0xffff for the data block and so on.

This bug can be also used for exploiting the subsequent vulnerability.

-------------------------------------------
D] buffer-overflow in remote administration
-------------------------------------------

A buffer-overflow is located in the function which copies the data from
the values explained before in a stack buffer.

Naturally the criticality of the above two vulnerabilities is related
to the possibility of bypassing the authentication explained in bug B.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/wincomalpd.zip

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org



Arrow  References :

http://www.securityfocus.com/bid/27614
http://www.securityfocus.com/archive/1/archive/1/487507/100/200/threaded
http://www.frsirt.com/english/advisories/2008/0410
http://secunia.com/advisories/28763
http://aluigi.org/poc/wincomalpd.zip
http://aluigi.org/adv/wincomalpd-adv.txt




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.