Buffer overflow in Novell's Netware Client
Novell's Netware client installs a print provider that fails to correctly validate several user-defined arguments when calling up functions. This allows remote users to execute arbitrary code, without authentication, on vulnerable machines.
The defective component, nwspool.dll, fails to verify the length of the first argument of the OpenPrinter() function, as well as the second argument of the EnumPrinters() function. This contains the printer and print server name. If the name contained in OpenPrinter() is more than 458 bytes, a buffer overflow occurs. Buffer overflow also occurs in the EnumPrinters() function for strings of more than 524 characters, although an exclamation point must follow at the end.
Attackers can exploit the errors remotely through a Remote Procedure Call (RPC) to the spooler service. This allows even anonymous users to call up the defective function, among other actions. The flaw affects Netware Client for Windows 2000, XP and 2004 in version 4.91 through Service Pack 2. Novell is offering the Service Pack 3 spool file to affected users.
- Novell Netware Client Print Provider Buffer Overflow Vulnerability, security advisory from the Zero Day Initiative
- nwspool.dll buffer overflow, bug report from Novell
(trk)