LPPlus Permissions DoS Vulnerabilities
BID:1643
Info
LPPlus Permissions DoS Vulnerabilities
| Bugtraq ID: | 1643 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-0879 CVE-2000-0880 |
| Remote: | No |
| Local: | Yes |
| Published: | Sep 06 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | This vulnerability was posted to bugtraq by Dixie Flatline <[email protected]> on Wed, 6 Sep 2000 |
| Vulnerable: |
Plus Technologies LPPlus 3.3 Plus Technologies LPPlus 3.2.2 |
| Not Vulnerable: | |
Discussion
LPPlus Permissions DoS Vulnerabilities
Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include:
$LPHOME/bin/dccsched
$LPHOME/bin/dcclpdser
$LPHOME/bin/dccbkst
These start the scheduler, LPD server and network status daemons.
$LPHOME/bin/dccshut
$LPHOME/bin/dcclpdshut
$LPHOME/bin/dccbkstshut
These stop the same services.
By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group.
Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.
Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include:
$LPHOME/bin/dccsched
$LPHOME/bin/dcclpdser
$LPHOME/bin/dccbkst
These start the scheduler, LPD server and network status daemons.
$LPHOME/bin/dccshut
$LPHOME/bin/dcclpdshut
$LPHOME/bin/dccbkstshut
These stop the same services.
By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group.
Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.
Solution / Fix
LPPlus Permissions DoS Vulnerabilities
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].