In association with heise online

30 November 2006, 12:32

Buffer overflow in Novell's Netware Client

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Novell's Netware client installs a print provider that fails to correctly validate several user-defined arguments when calling up functions. This allows remote users to execute arbitrary code, without authentication, on vulnerable machines.

The defective component, nwspool.dll, fails to verify the length of the first argument of the OpenPrinter() function, as well as the second argument of the EnumPrinters() function. This contains the printer and print server name. If the name contained in OpenPrinter() is more than 458 bytes, a buffer overflow occurs. Buffer overflow also occurs in the EnumPrinters() function for strings of more than 524 characters, although an exclamation point must follow at the end.

Attackers can exploit the errors remotely through a Remote Procedure Call (RPC) to the spooler service. This allows even anonymous users to call up the defective function, among other actions. The flaw affects Netware Client for Windows 2000, XP and 2004 in version 4.91 through Service Pack 2. Novell is offering the Service Pack 3 spool file to affected users.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit