BugTraq
Rlpr Advisory Jun 24 2004 06:44PM
jaguar felinemenace org
_,'| _.-''``-...___..--';)
/_ \'. __..-' , ,--...--'''
<\ .`--''' ` /'
`-';' ; ; ;
__...--'' ___...--_..' .;.'
fL (,__....----''' (,..--'' felinemenace.org

Program: rlprd 2.0.4
Impact: remote root
Discovered: jaguar
Writeup and exploits: Andrew Griffiths

1) Background

It is a package that makes it possible (or at the very least, easier),
to print files on remote sites to your local printer. The rlpr
package includes BSD-compatible replacements for `lpr', `lpq', and
`lprm', whose functionality is a superset of their BSD counterparts.
In other words, with the rlpr package, you can do everything you can
do with the BSD printing commands, and more. The programs contained
within the rlpr package are all GPL'd, and are more lightweight,
cleaner and more secure than their BSD counterparts.

- From the rlprd README

2) Description

The logging function calls syslog without any format specifier. If user
supplied input is included as an argument, it will lead to a format string.

3) Notes

As a method of exploitation:-

On connection to the rlprd server, the server reads in a 64 byte max buffer.
The server attempts to resolve this supplied buffer and if it does not
successfully resolve it will call syslog with that as a string as part of a
parameter, which leads to a format string exploit.

4) Exploit

www.felinemenace.org/exploits/rlprd.py

5) Vendor status/notes/fixes/statements

References:

http://www.nl.debian.org/security/2004/dsa-524

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus