Novell iPrint Client Stack Buffer Overflow

November 23, 2010

Novell iPrint, a technology developed by Novell, allows users to install printer-drivers from a web browser and to submit print jobs over the Internet or a local network through the standard Internet Printing Protocol (IPP). Although the iPrint system uses Novell infrastructure, desktop users require only an iPrint client.

Novell iPrint Client is bundled with a set of ActiveX controls that implement various functions. One of the ActiveX controls named ienipp.ocx, is associated with CLSID "36723f97-7aa0-11d4-8919-ff2d71d0d32c", and ProgID "ienipp.Novell iPrint Control". It can be instantiated in a web page using the tag or via scripting. For example:



 obj = new ActiveXObject("ienipp.Novell iPrint Control") 

ActiveX Control ienipp.Novell iPrint Control exposes IppGetDriverSettings2() method with the following script:


There is a stack-buffer-overflow vulnerability in Novell iPrint client library nipplib.dll. This vulnerability exists in function IppGetDriverSettings2() and it copies the provided arguments into a Stack buffer without validating the length of the string. A remote attacker could exploit this vulnerability via a web page that passes the large crafted argument to vulnerable ActiveX control method. A successful exploitation would cause buffer overflow that may allow for arbitrary code injection and execution in the security context of the currently logged on user.

SonicWALL UTM team has researched this vulnerability and created the following IPS signatures to detect the attacks addressing this vulnerability.

  • 6022 Novell iPrint ActiveX GetDriverSettings Method Invocation
  • 6023 Novell iPrint ActiveX GetDriverSettings2 Method Invocation

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.