CVE-2010-4328
published 2011-02-19CVE-2010-4328: Multiple stack-based buffer overflows in opt/novell/iprint/bin/ipsmd in Novell iPrint for Linux Open Enterprise Server 2 SP2 and SP3 allow remote attackers to…
PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
15.20%
96.3th percentile
Multiple stack-based buffer overflows in opt/novell/iprint/bin/ipsmd in Novell iPrint for Linux Open Enterprise Server 2 SP2 and SP3 allow remote attackers to execute arbitrary code via unspecified LPR opcodes.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | iprint_open_enterprise_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x44\x43\x42\x41\x0a
- →Exploit targets TCP port 515 (LPD/LPR service) on Novell iPrint for Linux. Monitor for oversized or malformed LPR opcode payloads (>120 bytes starting with \x01) sent to this port, which are indicative of stack-based buffer overflow attempts against ipsmd. ↗
- →The exploit payload begins with LPR opcode byte \x01 followed by a large run of \x41 ('A') padding bytes and terminates with \x44\x43\x42\x41\x0a — look for TCP payloads to port 515 containing this pattern as a buffer overflow canary/return-address overwrite signature. ↗
- →The vulnerable process is ipsmd located at opt/novell/iprint/bin/ipsmd. Monitor for unexpected crashes, restarts, or child process spawning from this binary, which may indicate successful or attempted exploitation. ↗
- ·The target IP in the exploit (10.102.3.79) is a private lab/test address hardcoded in the PoC and is NOT a threat-actor infrastructure indicator — do not use it as a network-level block. ↗
- ·The vulnerability affects Novell iPrint for Linux Open Enterprise Server 2 SP2 and SP3 specifically; the LPD service (port 515) must be externally reachable for remote exploitation to succeed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://download.novell.com/Download?buildid=KloKR_CmrBs~http://osvdb.org/70852http://secunia.com/advisories/43281http://securityreason.com/securityalert/8096http://www.novell.com/support/viewContent.do?externalId=7007858&sliceId=1http://www.securityfocus.com/archive/1/516506/100/0/threadedhttp://www.securityfocus.com/bid/46309http://www.securitytracker.com/id?1025074http://www.vupen.com/english/advisories/2011/0353http://www.zerodayinitiative.com/advisories/ZDI-11-087http://download.novell.com/Download?buildid=KloKR_CmrBs~http://osvdb.org/70852http://secunia.com/advisories/43281http://securityreason.com/securityalert/8096http://www.novell.com/support/viewContent.do?externalId=7007858&sliceId=1http://www.securityfocus.com/archive/1/516506/100/0/threadedhttp://www.securityfocus.com/bid/46309http://www.securitytracker.com/id?1025074http://www.vupen.com/english/advisories/2011/0353http://www.zerodayinitiative.com/advisories/ZDI-11-087
2011-02-19
Published