TPTI-10-05: Novell iPrint Client Browser Plugin Remote File Deletion Vulnerability

interaction ActiveX control Plugin File Deletion files remote Customer Protection Digital Vaccine Affected Vendors Novell Disclosure Timeline Vendor Response Affected Products attackers Vulnerability Details TippingPoint DVLabs Aaron Portnoy customers

TPTI-10-05: Novell iPrint Client Browser Plugin Remote File Deletion Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-05
August 4, 2010

-- CVSS:
7.8, (AV:N/AC:L/Au:N/C:N/I:N/A:C)

-- Affected Vendors:
Novell

-- Affected Products:
Novell iPrint

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10063. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to delete all files on a
system with a vulnerable installation of the Novell iPrint Client. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.

The specific flaw exists within the nipplib.dll module that can be
reached via the ienipp.ocx ActiveX control with CLSID
36723f97-7aa0-11d4-8919-FF2D71D0D32C. The CleanUploadFiles method
appears to be used to remove temporary files within a contained
directory. However, due to a logic flaw a remote attacker can abuse the
function to force the process to recursively delete all files on the
target system. 

-- Vendor Response:
Novell has issued an update to correct this vulnerability. More
details can be found at:

http://download.novell.com/Download?buildid=ftwZBxEFjIg~

-- Disclosure Timeline:
2010-07-15 - Vulnerability reported to vendor
2010-08-04 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Aaron Portnoy, TippingPoint DVLabs