LPRng Incorrect Installation Permissions Vulnerability

BID:1447

Info

LPRng Incorrect Installation Permissions Vulnerability

Bugtraq ID: 1447
Class: Configuration Error
CVE:
Remote: No
Local: Yes
Published: Jul 09 2000 12:00AM
Updated: Jul 09 2000 12:00AM
Credit: This vulnerability was disclosed to the Bugtraq mailing list on July 9, 2000 by Patrick Powell <[email protected]>
Vulnerable: Patrick Powell LPRng 3.6.15
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.14
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.13
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.12
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.11
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.10
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.9
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.8
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.7
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.6
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.5
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.4
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.3
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.2
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.1
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
Not Vulnerable: Patrick Powell LPRng 3.6.20
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.19
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.18
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.17
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0
 Patrick Powell LPRng 3.6.16
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 3.4
- HP HP-UX 11.0 4
 - HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - OpenBSD OpenBSD 2.7
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 5.3
- Sun Solaris 8_x86
 - Sun Solaris 8_sparc
 - Sun Solaris 7.0_x86
 - Sun Solaris 7.0

Discussion

LPRng Incorrect Installation Permissions Vulnerability

A vulnerability exists in the default installation of LPRng, versions 3.6.1 through 3.6.15. The 'lpd' program is inadvertently installed setuid root in these installations, while it should only be owned by root, and not setuid. According to the author of LPRng, it is possible for arbitrary users to append logging information using the -L option, assuming the following conditions are true:
The lpd server is not running
lpd is installed setuid root
Non-root users can execute lpd
The file to be altered exists
The file is writable by the user/group lpd runs as (daemon/daemon).

Files that can be appended to include files in the spool queues.

Exploit / POC

LPRng Incorrect Installation Permissions Vulnerability

See discussion for exploit information

Solution / Fix

References

LPRng Incorrect Installation Permissions Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report