• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Multiple Vendor lpr Format String Vulnerability

lpr is a utility which queues print jobs and submits them to a destination.

lpr contains a function called checkremote() which returns a pointer to a null terminated character string. This string is passed to syslog() as its primary argument, the format string. As a result, if this string is constructed so that malicious format specifiers can be included, syslog can crash or be exploited to execute arbitrary code. It has been reported that intentional user input into this string is not possible without root access and thus It is considered unlikely that this vulnerability is exploitable.

As OpenBSD lpr is derived from the BSD source tree, other modern BSD distributions may be vulnerable as well.

RedHat advisory RHSA-2000:066-03 makes note of additional minor issues relating to LPR including a potential DoS as well as a race condition allowing the queue to become wedged. See Reference section for details.