Vulnerability Development mailing list archives

Re: lpd exploit?

From: Jarno Huuskonen <jhuuskon () MESSI UKU FI>
Date: Fri, 1 Dec 2000 21:54:05 +0200

On Thu, Nov 30, Mark wrote:

This is paranoia.  By default, redhat 7 runs lpd as user 'lp', and I have
never seen any exploits for this daemon.

mark
tort () dethbystereo com


Well, Chris Evans reported an LPRng format string vulnerability on bugtraq
(see http://www.securityfocus.com/archive/1/85002 ). From the report
you can see that LPRng doesn't fully drop root privileges, so maybe
the exploit is more than paranoia.

-Jarno

PS. I think that Chris Wing has made a patch for LPRng so it'll fully drop
    root privileges (uses kernel capabilities). See
    http://www.engin.umich.edu/caen/systems/Linux/caenlinux/6.1/changes.html

--
Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen () uku fi
University of Kuopio - Computer Centre   |  Work:   +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169

Current thread:

lpd exploit? root (Dec 01)
- Re: lpd exploit? Olaf Kirch (Dec 02)
  - Re: lpd exploit? Crist Clark (Dec 04)
- Re: lpd exploit? Mark (Dec 02)
  - Re: lpd exploit? Jarno Huuskonen (Dec 04)
  - Re: lpd exploit? Larry W. Cashdollar (Dec 04)
    - Re: lpd exploit? Ron DuFresne (Dec 04)
- Re: lpd exploit? Ryan Yagatich (Dec 04)
- <Possible follow-ups>
- Re: lpd exploit? John (Dec 07)
- Re: lpd exploit? John (Dec 07)
  - Re: lpd exploit? Ron DuFresne (Dec 08)
    - Re: lpd exploit? Graeme Fowler (Dec 09)
    - Re: lpd exploit? Theodor Ragnar Gislason (Dec 09)
    - Re: lpd exploit? Graeme Fowler (Dec 09)
    - Re: lpd exploit? Theodor Ragnar Gislason (Dec 09)

(Thread continues...)