[18113] in bugtraq
Re: LPRng remote root exploit
daemon@ATHENA.MIT.EDU (Jason Edgecombe)
Fri Dec 15 18:51:23 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <3A3A238B.50467E40@vnet.net>
Date: Fri, 15 Dec 2000 08:58:35 -0500
Reply-To: Jason Edgecombe <javaman@VNET.NET>
From: Jason Edgecombe <javaman@VNET.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
greetings,
a workaround does exist to prevent this exploit in special cases.
add the following line to the beginning of /etc/lpd/perms:
REJECT SERVICE=X NOT IFIP=127.0.0.1/32
restart LPRng
This workaround is only valid on a machine that NOT a print server. The
only reason I run LPRng is for local printing, so this works for me.
The output from the running the exploit with this workaround in place:
--------begin output-----------------------
** LPRng remote root exploit coded by venomous of rdC **
constructing the buffer:
adding bytes for padding: 2
retloc: 0xbfffee30 + offset(0) == 0xbfffee30
adding resulting retloc(0xbfffee30)..
adding shellcode address(0xbffff640)
adding nops..
adding shellcode..
all is prepared.. now lets connect to something..
connecting to host.somewhere.com to port 515
connected!, sending the buffer...
KBz}a1@~C0M1@~@Mh/bin/shusfM~{1@1C00$[%.9u%301$n%.192u%302$n1@1[1I3kg_
no connect permissions
---------------end output--------------------
The machine that I ran it against is a Redhat 7.0 box with all package
updates in place.
"rpm -q LPRng" yields:
LPRng-3.6.24-2
venomous wrote:
>
> LPRng-3.6.22/23/24 remote root exploit, enjoy.
