Re: [VulnWatch] SRT2003-11-02-0115 - NIPrint LPD-LPR Remote overflow

[mudge <mudge () uidzero org>]

I would humbly advise against it.

PDF is not too far off from another stack based programming language...  
PostScript. There is a substantial amount of functionality in the  
language itself. A greater portion being understood by the interpreter  
engines used to create pdf files and more and more being introduced to  
the client interpreters.

I will admit that it has been some time since I looked into what was to  
become part of ".PDF" capability but back when I did (several years  
ago) they were already looking at active scripting hooks (ActiveX) etc.

It is entirely possible to create a .PDF document that when viewed  
through 'distiller' creates, removes, truncates files on the end  
system... etc. etc.

Just a comment on my part actually. Then again, I'm always amazed at  
all of the "security" web sites built around javascript, server side  
includes, and every other extra area of risk potentially introduced to  
consumer and vendor for minimal aesthetics. (the fact that most of the  
time neither the potential client, nor the "security" vendor has even  
thought about this is a good reflection of this industry unfortunately).

cheers,

.mudge

On Tuesday, November 4, 2003, at 06:15  AM, KF wrote:

> We are currently evaluating .pdf based advisory release... please let  
> us know if you have any issues with the pdf listed below.
>
> Full details on this issue can be found at:
> http://www.secnetops.com/research/advisories/SRT2003-11-02-0115.pdf
>
> -KF
>
>
> Secure Network Operations, Inc.              
> http://www.secnetops.com/research
> Strategic Reconnaissance Team               research () secnetops com
> Team Lead Contact                           kf () secnetops com
>
>
> Our Mission:
> *********************************************************************** 
> *
> Secure Network Operations offers expertise in Networking, Intrusion
> Detection Systems (IDS), Software Security Validation, and
> Corporate/Private Network Security. Our mission is to facilitate a
> secure and reliable Internet and inter-enterprise communications
> infrastructure through the products and services we offer.
>
> To learn more about our company, products and services or to request a  
> demo
> of ANVIL FCS please visit our site at http://www.secnetops.com, or  
> call us
> at: 978-263-3829
>
>
> Quick Summary:
> *********************************************************************** 
> *
> Advisory Number         : SRT2003-11-02-0115
> Product                 : NIPrint LPD-LPR Print Server
> Version                 : <= 4.10
> Vendor                  : http://www.networkinstruments.com/
> Class                   : Remote
> Criticality             : High (to NIPrint users)
> Operating System(s)     : Win32
>
>
> Notice
> *********************************************************************** 
> *
> The full technical details of this vulnerability can be found at:
> http://www.secnetops.com under the research section.
>
>
> Basic Explanation
> *********************************************************************** 
> *
> High Level Description  : NIPrint contains a remote buffer overflow
> What to do              : Disable NIPrint until vendor patch is  
> available.
>
>
> Basic Technical Details
> *********************************************************************** 
> *
> Proof Of Concept Status : SNO has working Poc code.
>
> Low Level Description   : NIPrint suffers from a classic buffer  
> overflow
> condition. Sending 60 bytes to the printer port (515) will cause an
> exploitable overflow in the NIPrint daemon. See our research page at
> http://www.secnetops.biz/research for further details.
>
>
> Vendor Status           : Vendor was contacted via email. The issue was
> confirmed however no further communication occured. We reccomend that  
> you
> disable NIPrint until a vendor patch is available.
>
> Bugtraq URL             : to be assigned
>
> Disclaimer
> ----------------------------------------------------------------------- 
> -
> This advisory was released by Secure Network Operations,Inc. as a  
> matter
> of notification to help administrators protect their networks against
> the described vulnerability. Exploit source code is no longer released
> in our advisories but can be obtained under contract.. Contact our  
> sales
> department at sales () secnetops com for further information on how to
> obtain proof of concept code.
>
>
> ----------------------------------------------------------------------- 
> -
> Secure Network Operations, Inc. || http://www.secnetops.com
> "Embracing the future of technology, protecting you."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html