Back to list
Jun 24 2004 06:44PM
jaguar felinemenace org
/_ \'. __..-' , ,--...--'''
<\ .`--''' ` /'
`-';' ; ; ;
__...--'' ___...--_..' .;.'
fL (,__....----''' (,..--'' felinemenace.org
Program: rlprd 2.0.4
Impact: remote root
Writeup and exploits: Andrew Griffiths
It is a package that makes it possible (or at the very least, easier),
to print files on remote sites to your local printer. The rlpr
package includes BSD-compatible replacements for `lpr', `lpq', and
`lprm', whose functionality is a superset of their BSD counterparts.
In other words, with the rlpr package, you can do everything you can
do with the BSD printing commands, and more. The programs contained
within the rlpr package are all GPL'd, and are more lightweight,
cleaner and more secure than their BSD counterparts.
- From the rlprd README
The logging function calls syslog without any format specifier. If user
supplied input is included as an argument, it will lead to a format string.
As a method of exploitation:-
On connection to the rlprd server, the server reads in a 64 byte max buffer.
The server attempts to resolve this supplied buffer and if it does not
successfully resolve it will call syslog with that as a string as part of a
parameter, which leads to a format string exploit.
5) Vendor status/notes/fixes/statements
[ reply ]
Copyright 2010, SecurityFocus