Rlpr Advisory

[jaguar () felinemenace org]

                     _,'|             _.-''``-...___..--';)
                     /_ \'.      __..-' ,      ,--...--'''
                    <\    .`--'''       `     /'
                    `-';'               ;   ; ;
               __...--''     ___...--_..'  .;.'
           fL (,__....----'''       (,..--''  felinemenace.org

Program: rlprd 2.0.4
Impact: remote root
Discovered: jaguar
Writeup and exploits: Andrew Griffiths

1) Background

        It is a package that makes it possible (or at the very least, easier),
        to print files on remote sites to your local printer.  The rlpr
        package includes BSD-compatible replacements for `lpr', `lpq', and
        `lprm', whose functionality is a superset of their BSD counterparts.
        In other words, with the rlpr package, you can do everything you can
        do with the BSD printing commands, and more.  The programs contained
        within the rlpr package are all GPL'd, and are more lightweight,
        cleaner and more secure than their BSD counterparts.

        - From the rlprd README

2) Description

The logging function calls syslog without any format specifier. If user
supplied input is included as an argument, it will lead to a format string.

3) Notes

As a method of exploitation:-

On connection to the rlprd server, the server reads in a 64 byte max buffer.
The server attempts to resolve this supplied buffer and if it does not
successfully resolve it will call syslog with that as a string as part of a
parameter, which leads to a format string exploit.

4) Exploit

 www.felinemenace.org/exploits/rlprd.py


5) Vendor status/notes/fixes/statements

References:

http://www.nl.debian.org/security/2004/dsa-524