Exploit code has been released as part of the Metasploit Framework for the Network Instruments NIPrint LPD-LPR buffer overflow vulnerability.
Description
Network Instruments NIPrint LPD-LPR Print Server is a server based on Windows sockets. NIPrint LPD-LPR Print Server versions 4.10 and prior contain vulnerabilities that can allow a local attacker to gain elevated privileges or cause a buffer overflow. The attacker could obtain sensitive information, cause a denial of service (DoS) condition or execute arbitrary code.
The privilege escalation vulnerability exists when NIPrint is installed as a service. If the print server is installed in this manner, a systray icon is displayed that is accessible to all users on the system. The icon represents a portion of the niprint3.exe process, which executes with system privileges. A local attacker
can access the NIPrint icon through the Windows Task Manager, thus allowing access to the NIPrint window. If the attacker then selects the Help menu from the NIPrint window, an error message is shown offering certain options. The attacker can click on the Yes option and place a * character in the file name field to display all files in C:\Windows\System32. The attacker can then access cmd.exe and obtain a command shell.
A buffer overflow vulnerability also exists in NIPrint. A remote attacker can overflow a buffer and overwrite the Extended Instruction Pointer (EIP) with a supplied string by sending a malformed request on TCP and UDP port 515. The attacker can
then select an existing register value to overflow. Prior to exploiting the buffer, the attacker verifies local user accounts. When the exploit is executed, the attacker can then create an account with administrator privileges and access the system.
Exploit code is available to demonstrate the buffer overflow.
Patches are available.
Warning Indicators
Systems running Network Instruments NIPrint LPD-LPR Print Server 4.10 or prior are vulnerable.
IntelliShield Analysis
Exploit code is available, which could increase the likelihood of an attack.
Vendor Announcements
Network Instruments has released a security advisory at the following link: NIPRSUP1013
Impact
A local attacker could obtain elevated privileges on the local system if the product is installed as a print server. A local or remote attacker could overflow the print server to cause a DoS condition or execute arbitrary code. An attacker who successfully overflows the buffer could also create an administrator account.
Technical Information
The first vulnerability exists when NIPrint is installed as a service. An attacker could exploit the vulnerability to access the Help interface to gain system privileges.
The second vulnerability exists when the print server receives a request containing 53 bytes of random data over TCP or UDP port 515. With the correct shell code, an attacker can inspect local user accounts and create a new account with administrator privileges.
Safeguards
Administrators are advised to apply the patch.
Until the patch can be applied, users are advised to disable NIPrint.
Patches/Software
Network Instruments has released updated software at the following link: NIPrint Support
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
Version 1, November 4, 2003, 11:24 AM: Network Instruments NIPrint LPD-LPR Print Server contains two vulnerabilities that can allow an attacker to gain elevated privileges or execute arbitrary code. Patches are unavailable.
The security vulnerability applies to the following combinations of products.
Primary Products:
Network Instruments, LLC
NIPrint
2.2 Base | 3.2 Base | 4.1 Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
