Date: Mon, 4 Feb 2008 22:32:59 +0100
From: Luigi Auriemma <aluigi@autistici.org.>
To: [email protected], [email protected],
Subject: Multiple vulnerabilities in SAPlpd 6.28
Message-Id: <20080204223259.9b364f1d.aluigi@autistici.org.>
X-Mailer:
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
#######################################################################
Luigi Auriemma
Application: SAPlpd
http://www.sap.com
Versions: <= 6.28 (included in SAP GUI 7.10)
Platforms: Windows
Bugs: various vulnerabilities
Exploitation: remote
Date: 04 Feb 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
SAPlpd is a small and very old (2001) line printer daemon for Windows
which is included in the SAP GUI package.
#######################################################################
=======
2) Bugs
=======
The daemon is affected by various vulnerabilities which, for brevity,
I have decided to list through the lpd commands (in hex) accepted by
the program:
commands type of bug
01 31 memcpy
02 32 memcpy + sprintf "Receive job for printer %s (berkley protocol)\n"
03 04 33 34 sprintf "QUERY = %s\n" + multiple strcpy
05 35 multiple strcpy
53 server termination
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/saplpdz.zip
#######################################################################
======
4) Fix
======
Vendor contacted, a patch will be released soon.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
