CVE-2010-3106
published 2010-08-23CVE-2010-3106: The ienipp.ocx ActiveX control in the browser plugin in Novell iPrint Client before 5.42 does not properly validate the debug parameter, which allows remote…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.33%
98.3th percentile
The ienipp.ocx ActiveX control in the browser plugin in Novell iPrint Client before 5.42 does not properly validate the debug parameter, which allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a parameter value with a crafted length, related to the ExecuteRequest method.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | iprint | <= 5.40 | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
| novell | iprint | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for heap-spray patterns in HTML/JS delivered to IE: repeated unescape() calls building large NOP sleds followed by shellcode, combined with an OBJECT tag referencing CLSID 36723F97-7AA0-11D4-8919-FF2D71D0D32C and a call to ExecuteRequest with a 'debug=' parameter containing a long string (offset ~250 bytes to EIP). ↗
- →The exploit uses a heap-spray return address of 0x0A0A0A0A; scanning memory or network payloads for repeated 0x0A0A0A0A sequences in conjunction with ienipp.ocx activity is a strong indicator of exploitation. ↗
- →Monitor for ienipp.ocx being loaded by iexplore.exe and subsequently spawning child processes, which would indicate successful shellcode execution via the ExecuteRequest stack overflow. ↗
- ·Exploit only confirmed against Novell iPrint Client versions 5.32 and 5.40 (ienipp.ocx file versions 5.3.2.0 and 5.4.0.0); versions 5.42 and later are patched. ↗
- ·The Metasploit module targets Windows XP SP0-SP2 and Windows Vista with IE 6/7; the heap-spray offset is 250 bytes and payload space is limited to 1024 bytes with null bytes as bad characters. ↗
- ·JavaScript variable names in the exploit HTML are randomized on each request, limiting static string-based detection of the JS variable identifiers. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005665; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005666; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005667; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005668; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploi
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005663; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Explo
Suricata
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0226 [HIGH] ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT
ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; classtype:web-application-attack; sid:2005664; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_techniq
Exploit-DB
Novell iPrint Client - ActiveX Control ExecuteRequest debug Buffer Overflow (Metasploit)
exploitdb·2010-09-21·CVSS 9.3
CVE-2010-3106 [CRITICAL] Novell iPrint Client - ActiveX Control ExecuteRequest debug Buffer Overflow (Metasploit)
Novell iPrint Client - ActiveX Control ExecuteRequest debug Buffer Overflow (Metasploit)
---
##
# $Id: novelliprint_executerequest_dbg.rb 10429 2010-09-21 18:46:29Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# novelliprint_executerequest_dbg.rb
#
# Novell iPrint Client ActiveX Control 'debug' Buffer Overflow exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
# - Novell iPrint Client 5.32 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client
Exploit-DB
Novell iPrint Client - ActiveX Control 'debug' Remote Buffer Overflow (Metasploit)
exploitdb·2010-09-21·CVSS 9.3
CVE-2010-3106 [CRITICAL] Novell iPrint Client - ActiveX Control 'debug' Remote Buffer Overflow (Metasploit)
Novell iPrint Client - ActiveX Control 'debug' Remote Buffer Overflow (Metasploit)
---
##
# novelliprint_executerequest_dbg.rb
#
# Novell iPrint Client ActiveX Control 'debug' Buffer Overflow exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
# - Novell iPrint Client 5.32 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows Vista SP2
#
# ienipp.ocx version tested:
# File Version: 5.3.2.0 and 5.4.0.0
# ClassID: 36723F97-7AA0-11D4-8919-FF2D71D0D32C
# RegKey Safe for Script: True
# RegKey Safe for Init: True
# KillBitSet: False
#
# References:
# - CVE-2010-3106
# - OSVDB 66960
# - http://dvlabs.tippingpoint.com/advisory/TPTI-10-06
Metasploit
Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow
metasploit
Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow
Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.40. When sending an overly long string to the 'debug' parameter in ExecuteRequest() property of ienipp.ocx an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://download.novell.com/Download?buildid=ftwZBxEFjIg~http://dvlabs.tippingpoint.com/advisory/TPTI-10-06https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12044http://download.novell.com/Download?buildid=ftwZBxEFjIg~http://dvlabs.tippingpoint.com/advisory/TPTI-10-06https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12044
2010-08-23
Published