TUCoPS :: Web :: Apps :: bx1728.htm

SAPlpd 6.28 multiple vulnerabilities
Multiple vulnerabilities in SAPlpd 6.28
Multiple vulnerabilities in SAPlpd 6.28




#######################################################################

                             Luigi Auriemma

Application:  SAPlpd
http://www.sap.com 
Versions:     <= 6.28 (included in SAP GUI 7.10)
Platforms:    Windows
Bugs:         various vulnerabilities
Exploitation: remote
Date:         04 Feb 2008
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

SAPlpd is a small and very old (2001) line printer daemon for Windows
which is included in the SAP GUI package.


#######################################################################

======2) Bugs
======

The daemon is affected by various vulnerabilities which, for brevity,
I have decided to list through the lpd commands (in hex) accepted by
the program:

commands    type of bug
01 31       memcpy
02 32       memcpy + sprintf "Receive job for printer %s (berkley protocol)\n"
03 04 33 34 sprintf "QUERY = %s\n" + multiple strcpy
05 35       multiple strcpy
53          server termination


#######################################################################

==========3) The Code
==========

http://aluigi.org/poc/saplpdz.zip 


#######################################################################

=====4) Fix
=====

Vendor contacted, a patch will be released soon.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH