发布时间 :2001-08-31 00:00:00
修订时间 :2017-10-09 21:29:57

[原文]The default configuration of the DVI print filter (dvips) in Red Hat Linux 7.0 and earlier does not run dvips in secure mode when dvips is executed by lpd, which could allow remote attackers to gain privileges by printing a DVI file that contains malicious commands.

[CNNVD]Red Hat Linux DVI print filter (dvips)权限提升漏洞(CNNVD-200108-176)

        Red Hat Linux 7.0及其之前版本中DVI print filter (dvips)的默认配置在lpd执行该程序时没有使用安全模式运行,远程攻击者可以利用该漏洞通过打印包含恶意命令的DVI文件获取权限。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:redhat:linux:7.0Red Hat Linux 7.0
cpe:/o:redhat:linux:7.1Red Hat Linux 7.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20010827 LPRng/rhs-printfilters - remote execution of commands
(UNKNOWN)  XF  dvips-lpd-command-execution(16509)

- 漏洞信息

Red Hat Linux DVI print filter (dvips)权限提升漏洞
高危 未知
2001-08-31 00:00:00 2005-05-02 00:00:00
        Red Hat Linux 7.0及其之前版本中DVI print filter (dvips)的默认配置在lpd执行该程序时没有使用安全模式运行,远程攻击者可以利用该漏洞通过打印包含恶意命令的DVI文件获取权限。

- 公告与补丁


- 漏洞信息 (21095)

RedHat 6.2/7.0/7.1 Lpd Remote Command Execution via DVI Printfilter Configuration Error (EDBID:21095)
linux remote
2001-08-27 Verified
0 zenith parsec
N/A [点击下载]

'dvips' is a utility that converts DVI documents to PostScript. It is an optional component of the TeTeX text formatting package. When installed on a system where LPRnG and TeTeX are in use, 'dvips' will be invoked by 'lpd' when a DVI document is to be printed if a printfilter exists for it.

On some systems, 'dvips' is not invoked in a safe manner. As a result, it may be possible for remote attackers to execute commands through certain DVI directives on vulnerable systems through 'lpd'.

It should be noted that this vulnerability is only due to the configuration of the DVI printfilter on some systems. There is no specific vulnerability in lpd, dvips or any other executable component. It is simply an error in the default configuration present on some systems. It has been reported that Red Hat 7.0 is vulnerable with the default configuration installed with the RPM packages.

cat >exploit.tex <<EOF
\special{psfile="`command to be executed`"}
tex exploit.tex
lpr exploit.dvi 		

- 漏洞信息

Red Hat Linux lpd DVI Print Filter (dvips) Remote Command Execution
Remote / Network Access

- 漏洞描述

- 时间线

2001-08-27 Unknow
2001-08-27 Unknow

- 解决方案

On this host, please locate and edit the file: /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi This line specifies how 'dvips' is to be executed: dvips -f $DVIPS_OPTIONS < $TMP_FILE Please change it to the following: dvips -R -f $DVIPS_OPTIONS < $TMP_FILE

- 相关参考

- 漏洞作者

Unknown or Incomplete