potential buffer overflow in lprm (fwd)

From: Dave Ahmad (daat_private)
Date: Wed Mar 05 2003 - 14:33:25 PST

Next message: John: "Re: BIND 9.2.2 Vulnerabilities?"

Previous message: Niels Bakker: "Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet"
Next in thread: noir sin: "Re: potential buffer overflow in lprm (fwd)"
Reply: noir sin: "Re: potential buffer overflow in lprm (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Mirza Ahmad
Symantec

"sabbe dhamma anatta"

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

attached mail follows:

A bounds check that was added to lprm in 1996 does its checking too late to be effective. Because of the insufficient check, it may be possible for a local user to exploit lprm to gain elevated privileges. It is not know at this time whether or not the bug is actually exploitable. Starting with OpenBSD 3.2, lprm is setuid user daemon which limits the impact of the bug. OpenBSD 3.1 and below however, ship with lprm setuid root so this is a potential localhost root hole on older versions of OpenBSD. The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1 -stable branches. Patch for OpenBSD 3.1: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/023_lprm.patch Patch for OpenBSD 3.2: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch Thanks go to Arne Woerner for noticing this bug.

Next message: John: "Re: BIND 9.2.2 Vulnerabilities?"
Previous message: Niels Bakker: "Re: 3Com SuperStack 3 Firewall Content Filter Exploitable Via Telnet"
Next in thread: noir sin: "Re: potential buffer overflow in lprm (fwd)"
Reply: noir sin: "Re: potential buffer overflow in lprm (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 14:46:31 PST