[Full-disclosure] Multiple vulnerabilities in SAPlpd 6.28

[Luigi Auriemma <aluigi@xxxxxxxxxxxxx>]

#######################################################################

                             Luigi Auriemma

Application:  SAPlpd
              http://www.sap.com
Versions:     <= 6.28 (included in SAP GUI 7.10)
Platforms:    Windows
Bugs:         various vulnerabilities
Exploitation: remote
Date:         04 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


SAPlpd is a small and very old (2001) line printer daemon for Windows
which is included in the SAP GUI package.


#######################################################################

=======
2) Bugs
=======


The daemon is affected by various vulnerabilities which, for brevity,
I have decided to list through the lpd commands (in hex) accepted by
the program:

commands    type of bug
01 31       memcpy
02 32       memcpy + sprintf "Receive job for printer %s (berkley protocol)\n"
03 04 33 34 sprintf "QUERY = %s\n" + multiple strcpy
05 35       multiple strcpy
53          server termination


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/saplpdz.zip


#######################################################################

======
4) Fix
======


Vendor contacted, a patch will be released soon.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/