Vulnerability Development mailing list archives
aix __ bos.rte.printers __ format string vulnerability
From: "Sergey Kuprin" <Sergey.Kuprin () warehouse ru>
Date: Mon, 5 Jan 2004 14:07:09 +0300
there is a local (and possibly remote) format string vulnerability in package bos.rte.printers. feeding /usr/bin/enq with arguments containing formatstring characters it can result in seg_fault. the research of this problem with acknowledgements of exact arguments and configuration types wasn't done. the enq utility is a part of qdaemon printing system. it can be called in different cases. so in special cases it is possible to force pass formatstring via print queue. it isn't checked on practice. as enq-utility on most systems have suid-flag, we can gain privileges of owner (typicaly root). as mentioned we have local and remote formatstring bug with ability to gain root privileges. to prove local vulnerabily we must have permissions to execute enq and construct formatstring which executes our code. to prove remote vulnerabily the closer view and investigation is needed. (ruff@first) /home/ruff> oslevel 4.3.3.0 (ruff@first) /home/ruff> ls -alF /usr/bin/enq -r-sr-sr-x 1 root printq 69980 Apr 20 2001 /usr/bin/enq* (ruff@first) /home/ruff> lslpp -h bos.rte.printers Fileset Level Action Status Date Time ---------------------------------------------------------------------------- Path: /usr/lib/objrepos bos.rte.printers 4.3.3.75 COMMIT COMPLETE 10/25/03 22:50:17 Path: /etc/objrepos bos.rte.printers 4.3.3.75 COMMIT COMPLETE 10/25/03 22:50:17 (ruff@first) /home/ruff> enq -P%08x%08x%08x%08x%08x%08x enq: (FATAL ERROR): Bad queue or device name: 2ff20dae0000000000000000000000000000000100808080. (ruff@first) /home/ruff> enq -P%n%n enq: (FATAL ERROR): Bad queue or device name: Segmentation fault (ruff@first) /home/ruff>
Current thread:
- aix __ bos.rte.printers __ format string vulnerability Sergey Kuprin (Jan 05)
- Re: aix __ bos.rte.printers __ format string vulnerability Jose Carlos Luna Duran (Jan 08)