This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of the Novell Netware Client. Authentication is not required to exploit this vulnerability.
Affected Products:
* Novell Netware Client version 4.91
* Novell Netware Client version 4.91 SP1
* Novell Netware Client version 4.91 SP2
The specific flaw exists in a print provider installed by the Netware Client. The nwspool.dll library does not properly handle long arguments to the Win32 EnumPrinters() and OpenPrinter() functions. Exceeding 458 bytes in the first argument to OpenPrinter() or 524 bytes in the second argument to EnumPrinters() results in an exploitable buffer overflow within the Spooler service.
This vulnerability can be exploited remotely via Remote Procedure Call (RPC) requests to the Spooler service. The Spooler exposes the "spoolss" named pipe, which allows an anonymous user to issue certain spooler commands. These include the OpenPrinter() and EnumPrinters() calls required to exploit this vulnerability.
Vendor Response:
Novell has issued an update to correct this vulnerability. More details can be found at: Novell TID #3125538
Disclosure Timeline:
2005.07.07 - Digital Vaccine released to TippingPoint customers
2006.10.02 - Vulnerability reported to vendor
2006.11.29 - Coordinated public release of advisory
