Security Incidents mailing list archives
LPRng remote root exploit seen in the wild
From: Matt Power <mhpower () BOS BINDVIEW COM>
Date: Wed, 22 Nov 2000 16:51:30 -0500
On November 19, a Red Hat 7.0 i386 Linux system was found to be root compromised, with the lpd from the LPRng-3.6.22-5 package as the apparent point of entry. Specifically, it is thought that the intruder had possession of a remote-root exploit program for the LPRng vulnerability described at http://www.redhat.com/support/errata/RHSA-2000-065-06.html As far as I know, there is no publicly available exploit for this vulnerability (i.e., it is being held privately by its authors and by the intruders who are using it). Also, this lpd is typically run by default on Red Hat 7.0 systems (and on some other Linux systems), and thus the number of vulnerable hosts is likely very large. We have not seen the exploit program that was used and are positing its existence based on syslog information (detailed below) and based on the set of network daemons in use on the compromised host. Although we know of only one instance so far of a breakin via this lpd, BindView Corporation recommends that the threat be addressed quickly by means of installing patches, blocking network access to lpd, and assessing whether hosts have already been compromised. (The one compromised Linux host that we know of was, incidentally, located at an "edu" site and did not have any association with BindView or with any current or previous BindView employee or contractor.) Information about this LPRng vulnerability, along with some patch references, can be found at http://www.securityfocus.com/bid/1712 Availability of patched LPRng software from operating-system vendors has been announced over the past two months (e.g., see http://www.securityfocus.com/bugtraq/archive or appropriate vendor-specific security resources). For LPRng software that is not part of a vendor operating system, see http://www.astart.com/LPRng/ For sites that potentially have remaining unpatched LPRng installations (even if only for the next few days), BindView recommends configuring Internet access equipment to block inbound TCP connection attempts to port 515 on internal hosts. TCP port 515 is used to connect to lpd for submission and management of print jobs; TCP port 515 is also used by the exploit program. Depending on the site, legitimate inbound TCP connections to port 515 either never occur (the most common situation), or occur only for a small number of destination hosts (known print servers). Blocking this port at a firewall typically provides some protection against exploit attempts with no or minimal disruption to the use of network print servers. For Linux hosts that are running LPRng for its local printing capabilities and are not network print servers, incoming TCP connections to port 515 should be blocked using the ipchains facility. Hosts that have already been compromised via this lpd vulnerability may have syslog entries consisting of very long lines containing the string "Dispatch_input: bad request line". On the compromised host found, the /var/log/messages file showed over 600 connections to lpd over a period of less than 6 minutes, with each connection logged as: Nov 19 ##:##:## hostname SERVER[#####]: Dispatch_input: bad request line followed by a few hundred bytes of additional data. This additional data was generated in part by the network input sent by the exploit program, and in part by lpd expanding format strings (e.g., %s or %p) contained in that network input. Because of this, the network input cannot be unambiguously recovered from the syslog data. The syslog lines typically ended with several dozen instances of "\220" (this is the value of the i386 NOP, more commonly written as 0x90). Linux systems that are running a vulnerable version of the LPRng lpd and that have these syslog entries are very likely root compromised. With the vulnerable version, a root compromise also may have occurred without these syslog entries present, if syslog operations were not working or if the log files were altered by the intruder. BindView's vulnerability assessment product, bv-Control for Internet Security (formerly named "HackerShield"), currently does not check for LPRng vulnerabilities; however, we will be adding that check soon. Matt Power BindView Corporation - http://razor.bindview.com/ mhpower () bos bindview com
Current thread:
- LPRng remote root exploit seen in the wild Matt Power (Nov 24)
- Re: LPRng remote root exploit seen in the wild Russell Fulton (Nov 28)
- <Possible follow-ups>
- Re: LPRng remote root exploit seen in the wild Jens Hektor (Nov 29)