cbcvebase.
CVE-2010-1527
published 2010-08-23

CVE-2010-1527: Stack-based buffer overflow in Novell iPrint Client before 5.44 allows remote attackers to execute arbitrary code via a long call-back-url parameter in an…

PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.99%
98.3th percentile
Stack-based buffer overflow in Novell iPrint Client before 5.44 allows remote attackers to execute arbitrary code via a long call-back-url parameter in an op-client-interface-version action.

Affected

15 ranges
VendorProductVersion rangeFixed in
novelliprint<= 5.42
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint

Detection & IOCsextracted from sources · hover to see the quote

filenameienipp.ocx
other36723F97-7AA0-11D4-8919-FF2D71D0D32C
commandop-client-interface-version action with long call-back-url parameter
otherRet: 0x0A0A0A0A (heap spray return address)
  • Alert on HTTP responses containing the iPrint ActiveX CLSID combined with a 'call-back-url' parameter passed to an 'op-client-interface-version' action, especially with abnormally long parameter values.
  • Heap spray pattern: look for repeated 0x0A0A0A0A dword sequences in JavaScript unescape() calls within HTML pages that also reference the iPrint ActiveX CLSID.
  • Monitor for ienipp.ocx being loaded by iexplore.exe on versions 5.4.0.0 or 5.4.2.0 (file versions prior to 5.44); these are confirmed vulnerable versions.
  • ·The Metasploit module payload space is limited to 1024 bytes and null bytes (0x00) are bad characters; payloads must be encoded accordingly.
  • ·The exploit was confirmed working only against Novell iPrint Client 5.40 and 5.42 on Windows XP SP3 and Vista SP2 with IE 7; the single target uses a heap-spray return address (0x0A0A0A0A) rather than a fixed module address.
  • ·EXITFUNC is set to 'process', meaning the exploit terminates the browser process on exit; this may affect post-exploitation stability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.