SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   lprm Vendors:   OpenBSD
OpenBSD 'lprm' Buffer Overflow May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1006224
SecurityTracker URL:  http://securitytracker.com/id/1006224
CVE Reference:   CVE-2003-0144   (Links to External Site)
Date:  Mar 5 2003
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OpenBSD 3.2, 3.1, and prior versions
Description:   A buffer overflow was reported in the lprm utility for OpenBSD. A local user may be able to execute arbitrary code with elevated privileges.

According to the report, a bounds check fix added to the program back in 1996 was ineffective. A local user may be able to cause arbitrary code to be executed.

The code will run with the privileges of lprm. In OpenBSD 3.1 and prior versions, lprm is configured with set user id (setuid) root privileges. In OpenBSD 3.2, lprm is configured with setuid daemon privileges.

The report indicates that it is not known whether the flaw is exploitable in practice or not.

The vendor credtis Arne Woerner for reporting the flaw.

Impact:   A local user may be able to execute arbitrary code with elevated privileges. The specific privileges depend on the version of OpenBSD (setuid root in 3.1 and prior; setuid daemon in 3.2).
Solution:   The vendor has released a fix in OpenBSD-current and in the 3.2 and 3.1 -stable branches.

Patches are also available:

Patch for OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/023_lprm.patch

Patch for OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (OpenBSD)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Exploit Code is Available) Re: OpenBSD 'lprm' Buffer Overflow May Let Local Users Gain Elevated Privileges
Exploit code has been released.
(SuSE Issues Fix) lprold 'lprm' Buffer Overflow May Let Local Users Gain Elevated Privileges
SuSE has released a fix.
(Debian Issues Fix for lpr-ppd Package) 'lprm' Buffer Overflow May Let Local Users Gain Elevated Privileges
Debian has released a fix.
(SGI Issues Fix for 'bsdlpr' on IRIX) Re: OpenBSD 'lprm' Buffer Overflow May Let Local Users Gain Elevated Privileges
SGI issues a fix for bsdlpr on IRIX.



 Source Message Contents

Subject:  potential buffer overflow in lprm


A bounds check that was added to lprm in 1996 does its checking too
late to be effective.  Because of the insufficient check, it may
be possible for a local user to exploit lprm to gain elevated
privileges.  It is not know at this time whether or not the bug is
actually exploitable.

Starting with OpenBSD 3.2, lprm is setuid user daemon which limits
the impact of the bug.  OpenBSD 3.1 and below however, ship with
lprm setuid root so this is a potential localhost root hole on older
versions of OpenBSD.

The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1
-stable branches.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/023_lprm.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch

Thanks go to Arne Woerner for noticing this bug.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC