File: 302.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (57 lines) | stat: -rw-r--r-- 1,443 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Rule:

--
Sid: 301

--
Summary:
This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng on RedHat systems.

--
Impact:
System compromize presenting the attacker with escalated system privileges .

--
Detailed Information:
LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root).

Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation.

--
Attack Scenarios:
Exploit scripts are available

--
Ease of Attack:
Simple. Exploits are available.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

Disallow access to LPRng port 515 from external sources using a packet filtering firewall.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/1712

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917

--