DGUX lpsched buffer overflow

Type securityvulns
Reporter Securityvulns
Modified 2001-03-21T00:00:00


Hi there!

There's a vulnerability in DG's UNIX implementation (DGUX), version R4.20MU06 and MU02 (ia32 arch).

The problem is when a very long, non-existant, printer name is passed to the program lpsched. It tries to format an error message and then the buffer overflow occurs...

Data General was told about the vulnerability over almost two years ago (as the computer department of my university, Universidade do Minho, Portuga). Or at least I tried to, but didn't get an answer from any email address I tried.

I didn't post this to bugtraq before because I forgot about it. Brownsing from old archives of mine I found this and decided to post it.

How to exploit: - Use the attached exploit program like this: ./squash-dgux-x86 29000 /usr/lib/lp/lpsched -S EGG (if the 29000 doesn't work, try 27428 or other numbers) - Details of the shell code and the vulnerability can be found in http://strange.nsk.yi.org/squash-dgux-x86/ - Unfortunantely I have no longer access to a DGUX system, so I can't find more vulnerabilities...

Fix: - chmod -s /usr/lib/lp/lpsched - switch to a better UNIX like system (sorry, dgux people)

hugs Luciano Rocha