Advisory Details

November 29th, 2006

Novell Netware Client Print Provider Buffer Overflow Vulnerability

ZDI-06-043
ZDI-CAN-100

CVE ID CVE-2006-5854
CVSS SCORE
AFFECTED VENDORS Novell
AFFECTED PRODUCTS Netware
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 3583. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of the Novell Netware Client. Authentication is not required to exploit this vulnerability.

The specific flaw exists in a print provider installed by the Netware Client. The nwspool.dll library does not properly handle long arguments to the Win32 EnumPrinters() and OpenPrinter() functions. Exceeding 458 bytes in the first argument to OpenPrinter() or 524 bytes in the second argument to EnumPrinters() results in an exploitable buffer overflow within the Spooler service.

This vulnerability can be exploited remotely via Remote Procedure Call (RPC) requests to the Spooler service. The Spooler exposes the "spoolss" named pipe, which allows an anonymous user to issue certain spooler commands. These include the OpenPrinter() and EnumPrinters() calls required to exploit this vulnerability.

ADDITIONAL DETAILS Novell has issued an update to correct this vulnerability. More details can be found at:
Novell TID #3125538
DISCLOSURE TIMELINE
  • 2006-10-02 - Vulnerability reported to vendor
  • 2006-11-29 - Coordinated public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES