Re: LPRng remote root exploit

[Jason Edgecombe <javaman () VNET NET>]

greetings,

  a workaround does exist to prevent this exploit in special cases.

add the following line to the beginning of /etc/lpd/perms:
REJECT SERVICE=X NOT IFIP=127.0.0.1/32

restart LPRng

This workaround is only valid on a machine that NOT a print server. The
only reason I run LPRng is for local printing, so this works for me.

The output from the running the exploit with this workaround in place:
--------begin output-----------------------
** LPRng remote root exploit coded by venomous of rdC **

constructing the buffer:

adding bytes for padding: 2
retloc: 0xbfffee30 + offset(0) == 0xbfffee30
adding resulting retloc(0xbfffee30)..
adding shellcode address(0xbffff640)
adding nops..
adding shellcode..
all is prepared.. now lets connect to something..
connecting to host.somewhere.com to port 515
connected!, sending the buffer...

KÂú}á1ÀþC°Í1ÀþÀÍèÿÿÿ/bin/shuófÍþû1À1C00$[%.9u%301$n%.192u%302$n1À1Û1ɳëg_

no connect permissions
---------------end output--------------------

The machine that I ran it against is a Redhat 7.0 box with all package
updates in place.
"rpm -q LPRng" yields:
LPRng-3.6.24-2


venomous wrote:
> LPRng-3.6.22/23/24 remote root exploit, enjoy.