Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   NIPrint Vendors:   Network Instruments, LLC
NIPrint Print Server Help File Bug Lets Local Users Execute Shell Commands With SYSTEM Privileges
SecurityTracker Alert ID:  1008088
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 3 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): 4.10 and prior versions
Description:   A vulnerability was reported in the NIPrint print server. A local user can gain SYSTEM privileges on the target system.

Secure Network Operations Strategic Reconnaissance Team reported that a local user can invoke the help interface to execute arbitrary commands. If NIPrint is installed as a service, a local user can open the Help menu and then execute CMD.EXE instead of the intended NIPRINT.HLP file. The command shell will be launched with SYSTEM privileges, according to the report.

The vendor has reportedly been notified.

Impact:   A local user can execute arbitrary shell commands with SYSTEM privileges.
Solution:   No solution was available at the time of this entry.

The author of the report recommends that you disable the NIPrint service until a fix is available.

Vendor URL: (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  SRT2003-11-02-0218 - NIPrint LPD-LPR Local Help API SYSTEM exploit

Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

We are currently evaluating .pdf based advisory release... please let us 
know if you have any issues with the pdf listed below.

Full details on this issue can be found at:


Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;


Secure Network Operations, Inc.   
Strategic Reconnaissance Team     
Team Lead Contact                 

Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at, or 
call us at: 978-263-3829

Quick Summary:
Advisory Number         : SRT2003-11-02-0218
Product                 : NIPrint LPD-LPR Print Server
Version                 : <= 4.10
Vendor                  :
Class                   : Local
Criticality             : High (to NIPrint users)
Operating System(s)     : Win32

The full technical details of this vulnerability can be found at: under the research section. 

Basic Explanation
High Level Description  : NIPrint allows local user to become SYSTEM
What to do              : Disable NIPrint until patch is available. 

Basic Technical Details
Proof Of Concept Status : SNO has working Poc code.

Low Level Description   : The NIPrint Help API runs in a non secure manor. 
This issue is similar to findings by Brett Moore of 
Basic details on this type of flaw can be found at
See our research page at for further details. 

Vendor Status           : Vendor was contacted via email. No response on 
this issue or any further response on a previously reported issue. We 
reccomend that you disable NIPrint until a vendor patch is available. 

Bugtraq URL             : To be assigned. 
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at for further information on how to 
obtain proof of concept code.

Secure Network Operations, Inc. ||
"Embracing the future of technology, protecting you."




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC