Vulnerability Note VU#382365
LPRng can pass user-supplied input as a format string parameter to syslog() calls
A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect known as a "format string vulnerability" which may allow remote users to execute arbitrary code on vulnerable systems. The privileges of such code will probably be root-level.
LPRng, the "next generation" of print-service management software now being packaged in several open-source operating system distributions, has a missing format string argument in at least two calls to the syslog() function. Missing format strings in function calls which allow user-supplied arguments to be passed to a susceptible *snprintf() function call may allow remote users with access to the printer port (port 515/tcp) to pass format-string parameters that can overwrite arbitrary addresses in the printing service's address space. Such overwriting can cause segmentation violations leading to denial of printing services or lead to the execution of arbitrary code injected through other means into the memory segments of the printer service.
The vulnerable calls in this case occur in the following section of code:
A remote user may be able to execute arbitrary code or perpetuate a denial of service. The privileges the malicious code would have depends on whether the print daemon drops it's root privileges before or after the calls to the vulnerable syslog() functions.
Upgrade to non-vulnerable version of LPRng (3.6.25), as described in the vendors sections below.
Disallow access to printer service ports (typically 515/tcp) using firewall or packet-filtering technologies.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian||Affected||06 Dec 2000||07 Dec 2000|
|FreeBSD||Affected||06 Dec 2000||11 Dec 2000|
|NetBSD||Affected||06 Dec 2000||11 Dec 2000|
|Patrick Powell||Affected||-||05 Dec 2000|
|Red Hat Inc.||Affected||26 Sep 2000||27 Jan 2003|
|The SCO Group (SCO Linux)||Affected||-||05 Dec 2000|
|Trustix||Affected||-||04 Dec 2000|
|Apple Computer Inc.||Not Affected||06 Dec 2000||11 Dec 2000|
|Compaq Computer Corporation||Not Affected||06 Dec 2000||11 Dec 2000|
|Hewlett-Packard Company||Not Affected||06 Dec 2000||11 Dec 2000|
|IBM||Not Affected||06 Dec 2000||11 Dec 2000|
|Microsoft Corporation||Not Affected||06 Dec 2000||11 Dec 2000|
|OpenBSD||Not Affected||06 Dec 2000||07 Dec 2000|
|SGI||Not Affected||06 Dec 2000||12 Dec 2000|
|SuSE Inc.||Not Affected||-||05 Dec 2000|
CVSS Metrics (Learn More)
Thanks to Chris Evans for making this code sample public.
This document was written by Jeffrey S Havrilla.
- CVE IDs: CVE-2000-0917
- CERT Advisory: CA-2000-22
- Date Public: 25 Sep 2000
- Date First Published: 04 Dec 2000
- Date Last Updated: 27 Jan 2003
- Severity Metric: 48.20
- Document Revision: 41
If you have feedback, comments, or additional information about this vulnerability, please send us email.