Overview
A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect known as a "format string vulnerability" which may allow remote users to execute arbitrary code on vulnerable systems. The privileges of such code will probably be root-level.
Description
LPRng, the "next generation" of print-service management software now being packaged in several open-source operating system distributions, has a missing format string argument in at least two calls to the syslog() function. Missing format strings in function calls which allow user-supplied arguments to be passed to a susceptible *snprintf() function call may allow remote users with access to the printer port (port 515/tcp) to pass format-string parameters that can overwrite arbitrary addresses in the printing service's address space. Such overwriting can cause segmentation violations leading to denial of printing services or lead to the execution of arbitrary code injected through other means into the memory segments of the printer service. The vulnerable calls in this case occur in the following section of code: |
Impact
A remote user may be able to execute arbitrary code or perpetuate a denial of service. The privileges the malicious code would have depends on whether the print daemon drops it's root privileges before or after the calls to the vulnerable syslog() functions. |
Solution
Upgrade to non-vulnerable version of LPRng (3.6.25), as described in the vendors sections below. |
Disallow access to printer service ports (typically 515/tcp) using firewall or packet-filtering technologies. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
- http://www.securityfocus.com/bid/1712
- http://www.ciac.org/ciac/bulletins/l-004.shtml
- http://www.ciac.org/ciac/bulletins/l-025.shtml
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17756
- http://www.securityfocus.com/archive/1/85002
- http://archives.neohapsis.com/archives/bugtraq/2000-09/0293.html
- http://xforce.iss.net/static/5287.php
- http://www.redhat.com/support/errata/RHSA-2000-065.html
- http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
- ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc
- http://www.trustix.net/download/Trustix/updates/1.1/RPMS/LPRng-3.6.24-1tr.i586.rpm
- http://lists.suse.com/archives/suse-security/2000-Sep/0259.html
- http://lists.debian.org/debian-security-0011/msg00212.html
- http://rpmfind.net/linux/RPM/redhat/7.0/updates/i386/LPRng-3.6.24-2.i386.html
- http://www.egroups.com/message/lprng/6915
- http://www.sans.org/newlook/alerts/port515.htm
Acknowledgements
Thanks to Chris Evans for making this code sample public.
This document was written by Jeffrey S Havrilla.
Other Information
| CVE IDs: | CVE-2000-0917 |
| CERT Advisory: | CA-2000-22 |
| Severity Metric: | 48.20 |
| Date Public: | 2000-09-25 |
| Date First Published: | 2000-12-04 |
| Date Last Updated: | 2003-01-27 19:16 UTC |
| Document Revision: | 41 |