####################################################################### Luigi Auriemma Applications: Opium OPI Server http://www.cyansoftware.com/Opium_OPI.htm cyanPrintIP Easy OPI http://www.cyansoftware.com/cyanPrintIP_Easy_OPI.htm cyanPrintIP http://www.cyansoftware.com/cyanPrintIP.htm Versions: Opium OPI Server <= 4.10.1028 cyanPrintIP Easy OPI <= 4.10.1030 cyanPrintIP Professional <= 4.10.1030 cyanPrintIP Workstation <= 4.10.836 cyanPrintIP Standard <= 4.10.940 cyanPrintIP Basic <= 4.10.1030 Platforms: Windows Bugs: A] format string in ReportSysLogEvent B] service crash through "Send queue state" commands Exploitation: remote Date: 11 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Opium and cyanPrintIP are a family of LPD products for the network sharing of printers. ####################################################################### ======= 2) Bugs ======= ------------------------------------- A] format string in ReportSysLogEvent ------------------------------------- The LPD servers are affected by a format string vulnerability in the ReportSysLogEvent function used for logging. The best way for exploiting this vulnerability is through a malformed queue name which will be used to build a "Print queue" error message directly passed to vsprintf without the needed format argument. After the exploitation will be created a dump and the server will be automatically restarted by the Restart process. ---------------------------------------------------- B] service crash through "Send queue state" commands ---------------------------------------------------- The servers are not able to handle the two "Send queue state" LPD commands (3 and 4) when received at the beginning of the connection, so when not expected by it. The result is the immediate crash/termination of the server which will be not restarted automatically. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/cyanuro.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################