Bugtraq mailing list archives
Re: LPRng remote root exploit
From: Jason Edgecombe <javaman () VNET NET>
Date: Fri, 15 Dec 2000 08:58:35 -0500
greetings, a workaround does exist to prevent this exploit in special cases. add the following line to the beginning of /etc/lpd/perms: REJECT SERVICE=X NOT IFIP=127.0.0.1/32 restart LPRng This workaround is only valid on a machine that NOT a print server. The only reason I run LPRng is for local printing, so this works for me. The output from the running the exploit with this workaround in place: --------begin output----------------------- ** LPRng remote root exploit coded by venomous of rdC ** constructing the buffer: adding bytes for padding: 2 retloc: 0xbfffee30 + offset(0) == 0xbfffee30 adding resulting retloc(0xbfffee30).. adding shellcode address(0xbffff640) adding nops.. adding shellcode.. all is prepared.. now lets connect to something.. connecting to host.somewhere.com to port 515 connected!, sending the buffer... KÂú}á1ÀþC°Í1ÀþÀÍèÿÿÿ/bin/shuófÍþû1À1C00$[%.9u%301$n%.192u%302$n1À1Û1ɳëg_ no connect permissions ---------------end output-------------------- The machine that I ran it against is a Redhat 7.0 box with all package updates in place. "rpm -q LPRng" yields: LPRng-3.6.24-2 venomous wrote:
LPRng-3.6.22/23/24 remote root exploit, enjoy.
Current thread:
- LPRng remote root exploit venomous (Dec 15)
- Re: LPRng remote root exploit Matthew Connor (Dec 16)
- Re: LPRng remote root exploit Pekka Savola (Dec 18)
- Re: LPRng remote root exploit Matt Wilson (Dec 18)
- Re: LPRng remote root exploit Jason Edgecombe (Dec 16)
- Re: LPRng remote root exploit Matthew Connor (Dec 16)