Rlpr Advisory
_,'| _.-''``-...___..--';)
/_ \'. __..-' , ,--...--'''
<\ .`--''' ` /'
`-';' ; ; ;
__...--'' ___...--_..' .;.'
fL (,__....----''' (,..--'' felinemenace.org
Program: rlprd 2.0.4
Impact: remote root
Discovered: jaguar
Writeup and exploits: Andrew Griffiths
1) Background
It is a package that makes it possible (or at the very least, easier),
to print files on remote sites to your local printer. The rlpr
package includes BSD-compatible replacements for `lpr', `lpq', and
`lprm', whose functionality is a superset of their BSD counterparts.
In other words, with the rlpr package, you can do everything you can
do with the BSD printing commands, and more. The programs contained
within the rlpr package are all GPL'd, and are more lightweight,
cleaner and more secure than their BSD counterparts.
- From the rlprd README
2) Description
The logging function calls syslog without any format specifier. If user
supplied input is included as an argument, it will lead to a format string.
3) Notes
As a method of exploitation:-
On connection to the rlprd server, the server reads in a 64 byte max buffer.
The server attempts to resolve this supplied buffer and if it does not
successfully resolve it will call syslog with that as a string as part of a
parameter, which leads to a format string exploit.
4) Exploit
www.felinemenace.org/exploits/rlprd.py
5) Vendor status/notes/fixes/statements
References:
http://www.nl.debian.org/security/2004/dsa-524