CVE-2001-1002
CVSS7.5
发布时间 :2001-08-31 00:00:00
修订时间 :2016-10-17 22:14:01
NMCOE    

[原文]The default configuration of the DVI print filter (dvips) in Red Hat Linux 7.0 and earlier does not run dvips in secure mode when dvips is executed by lpd, which could allow remote attackers to gain privileges by printing a DVI file that contains malicious commands.


[CNNVD]Red Hat Linux DVI print filter (dvips)权限提升漏洞(CNNVD-200108-176)

        Red Hat Linux 7.0及其之前版本中DVI print filter (dvips)的默认配置在lpd执行该程序时没有使用安全模式运行,远程攻击者可以利用该漏洞通过打印包含恶意命令的DVI文件获取权限。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:7.0Red Hat Linux 7.0
cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:redhat:linux:7.1Red Hat Linux 7.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1002
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1002
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-176
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=99892644616749&w=2
(UNKNOWN)  BUGTRAQ  20010827 LPRng/rhs-printfilters - remote execution of commands
http://www.redhat.com/support/errata/RHSA-2001-102.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2001:102
http://www.securityfocus.com/bid/3241
(VENDOR_ADVISORY)  BID  3241
http://xforce.iss.net/xforce/xfdb/16509
(UNKNOWN)  XF  dvips-lpd-command-execution(16509)

- 漏洞信息

Red Hat Linux DVI print filter (dvips)权限提升漏洞
高危 未知
2001-08-31 00:00:00 2005-05-02 00:00:00
远程  
        Red Hat Linux 7.0及其之前版本中DVI print filter (dvips)的默认配置在lpd执行该程序时没有使用安全模式运行,远程攻击者可以利用该漏洞通过打印包含恶意命令的DVI文件获取权限。

- 公告与补丁

        

- 漏洞信息 (21095)

RedHat 6.2/7.0/7.1 Lpd Remote Command Execution via DVI Printfilter Configuration Error (EDBID:21095)
linux remote
2001-08-27 Verified
0 zenith parsec
N/A [点击下载]
source: http://www.securityfocus.com/bid/3241/info

'dvips' is a utility that converts DVI documents to PostScript. It is an optional component of the TeTeX text formatting package. When installed on a system where LPRnG and TeTeX are in use, 'dvips' will be invoked by 'lpd' when a DVI document is to be printed if a printfilter exists for it.

On some systems, 'dvips' is not invoked in a safe manner. As a result, it may be possible for remote attackers to execute commands through certain DVI directives on vulnerable systems through 'lpd'.

It should be noted that this vulnerability is only due to the configuration of the DVI printfilter on some systems. There is no specific vulnerability in lpd, dvips or any other executable component. It is simply an error in the default configuration present on some systems. It has been reported that Red Hat 7.0 is vulnerable with the default configuration installed with the RPM packages.

cat >exploit.tex <<EOF
\special{psfile="`command to be executed`"}
\end
EOF
tex exploit.tex
lpr exploit.dvi 		

- 漏洞信息

835
Red Hat Linux lpd DVI Print Filter (dvips) Remote Command Execution
Remote / Network Access

- 漏洞描述

- 时间线

2001-08-27 Unknow
2001-08-27 Unknow

- 解决方案

On this host, please locate and edit the file: /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi This line specifies how 'dvips' is to be executed: dvips -f $DVIPS_OPTIONS < $TMP_FILE Please change it to the following: dvips -R -f $DVIPS_OPTIONS < $TMP_FILE

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站