Bugtraq mailing list archives

Re: Remote Root Exploit for Redhat 7.0

From: Crutcher Dunnavant <crutcher () REDHAT COM>
Date: Tue, 2 Jan 2001 15:55:20 -0500

The following is the description of an errata issued 2000-09-26,
it concerns the LPRng syslog format hole which is discovered anew
once a week on bug-traq.

Descrition:
 LPRng has a string format bug in the use_syslog function. This function
 returns user input in a string that is passed to the syslog() function as
 the format string. It is possible to corrupt the print daemon's execution
 with unexpected format specifiers, thus gaining root access to the
 computer. The vulnerability is theoretically exploitable both locally and
 remotely.

The errata is published at:
http://www.redhat.com/support/errata/RHSA-2000-065-06.html

Please note that at the time of this errata's publication, no exploits were
known to exist, and that LPRng's upstream maintainers fixed this problem
with LPRng-3.6.25; thus, this problem was addressed in a timely manor by all
parties involved, and has been solved since last September.

++ 30/12/00 11:08 +0100 - kry_cek () libero it:

This exploit compromise Redhat 7.0 box and it allows to gain the root..
is very dangerous.. please RedHat.com release a patch!!
This expl take advantage of Lpd.

For download this expl. look www.netcat.it/download/SEClpd.c

Thx To All
Staff of www.netcat.it


--
"I may be a monkey,     Crutcher Dunnavant
 but I'm a monkey       <crutcher () redhat com>
 with ambition!"        Red Hat OS Development

Current thread:

Remote Root Exploit for Redhat 7.0 kry_cek () libero it (Jan 02)
- Re: Remote Root Exploit for Redhat 7.0 Crutcher Dunnavant (Jan 02)
- <Possible follow-ups>
- Re: Remote Root Exploit for Redhat 7.0 Max Vision (Jan 02)