Signature Detail

OS: Linux x86 LPRng Buffer Overflow

This signature detects attempts to exploit a known vulnerability in LPRng, an implementation of the Berkeley lpr print spooling utility for LINUX. The LPRng use_syslog() function returns user input to a string that is passed to syslog() as the format string. Attackers can send maliciously formed requests to corrupt execution flow.

Extended Description

LPRng is an implementation of the Berkeley lpr print spooling utility. LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers. In testing this has been exploited to remotely elevate privileges. This vulnerability was tested on RedHat 7.0. Earlier versions are likely also be vulnerable, as well as other operating systems which ship with LPRng. (Please see http://www.redhat.com/support/errata/RHSA-2000-065-06.html for links to updated i386 and source packages.) If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Affected Products

• Caldera OpenLinux Desktop 2.3.0
• Caldera OpenLinux eBuilder 3.0.0
• Red Hat Linux 7.0.0
• SCO eDesktop 2.4.0
• SCO eServer 2.3.0
• Trustix Secure Linux 1.1.0
• Trustix Trustix Secure Linux 1.0.0
• Trustix Trustix Secure Linux 1.1.0

References

• BugTraq: 1712
• CVE: CVE-2000-0917
• URL: http://www.cert.org/advisories/CA-2000-22.html
• URL: http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt
• URL: http://www.redhat.com/support/errata/RHSA-2000-065.html