cbcvebase.
CVE-2010-3106
published 2010-08-23

CVE-2010-3106: The ienipp.ocx ActiveX control in the browser plugin in Novell iPrint Client before 5.42 does not properly validate the debug parameter, which allows remote…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.33%
98.3th percentile
The ienipp.ocx ActiveX control in the browser plugin in Novell iPrint Client before 5.42 does not properly validate the debug parameter, which allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a parameter value with a crafted length, related to the ExecuteRequest method.

Affected

14 ranges
VendorProductVersion rangeFixed in
novelliprint<= 5.40
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint
novelliprint

Detection & IOCsextracted from sources · hover to see the quote

other36723F97-7AA0-11D4-8919-FF2D71D0D32C
filenameienipp.ocx
commandExecuteRequest debug=<overly long string>
otherop-client-interface-version
  • Look for heap-spray patterns in HTML/JS delivered to IE: repeated unescape() calls building large NOP sleds followed by shellcode, combined with an OBJECT tag referencing CLSID 36723F97-7AA0-11D4-8919-FF2D71D0D32C and a call to ExecuteRequest with a 'debug=' parameter containing a long string (offset ~250 bytes to EIP).
  • The exploit uses a heap-spray return address of 0x0A0A0A0A; scanning memory or network payloads for repeated 0x0A0A0A0A sequences in conjunction with ienipp.ocx activity is a strong indicator of exploitation.
  • Monitor for ienipp.ocx being loaded by iexplore.exe and subsequently spawning child processes, which would indicate successful shellcode execution via the ExecuteRequest stack overflow.
  • ·Exploit only confirmed against Novell iPrint Client versions 5.32 and 5.40 (ienipp.ocx file versions 5.3.2.0 and 5.4.0.0); versions 5.42 and later are patched.
  • ·The Metasploit module targets Windows XP SP0-SP2 and Windows Vista with IE 6/7; the heap-spray offset is 250 bytes and payload space is limited to 1024 bytes with null bytes as bad characters.
  • ·JavaScript variable names in the exploit HTML are randomized on each request, limiting static string-based detection of the JS variable identifiers.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.