[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[mhpower@bos.bindview.com: LPRng: LPRng remote root exploit seen in the wild]

G'day Security Dudez,
  I thought I would forward this email along in case you hear about it
from somewhere else and start to fret.

This bug was fixed in 3.6.24-3 and also some version of potato though
there hasn't been a security alert about it yet :/

So we're ok, if a little slow on telling people we are.

  - Craig
    Debian LPRng maintainer

  ----- Forwarded message from Matt Power <mhpower@bos.bindview.com> -----

Delivered-To: csmall@small.dropbear.id.au
Date: Wed, 22 Nov 2000 16:51:30 -0500
From: Matt Power <mhpower@bos.bindview.com>
To: incidents@securityfocus.com, lprng@lprng.com
Subject: LPRng: LPRng remote root exploit seen in the wild
Precedence: bulk
Reply-To: lprng@lprng.com
X-Sorted: LPRng

On November 19, a Red Hat 7.0 i386 Linux system was found to be root
compromised, with the lpd from the LPRng-3.6.22-5 package as the
apparent point of entry. Specifically, it is thought that the
intruder had possession of a remote-root exploit program for the LPRng
vulnerability described at


As far as I know, there is no publicly available exploit for this
vulnerability (i.e., it is being held privately by its authors and by
the intruders who are using it). Also, this lpd is typically run by
default on Red Hat 7.0 systems (and on some other Linux systems), and
thus the number of vulnerable hosts is likely very large. We have not
seen the exploit program that was used and are positing its existence
based on syslog information (detailed below) and based on the set of
network daemons in use on the compromised host.

Although we know of only one instance so far of a breakin via this
lpd, BindView Corporation recommends that the threat be addressed
quickly by means of installing patches, blocking network access to
lpd, and assessing whether hosts have already been compromised. (The
one compromised Linux host that we know of was, incidentally, located
at an "edu" site and did not have any association with BindView or
with any current or previous BindView employee or contractor.)

Information about this LPRng vulnerability, along with some patch
references, can be found at http://www.securityfocus.com/bid/1712

Availability of patched LPRng software from operating-system vendors
has been announced over the past two months (e.g., see
http://www.securityfocus.com/bugtraq/archive or appropriate
vendor-specific security resources). For LPRng software that is not
part of a vendor operating system, see http://www.astart.com/LPRng/

For sites that potentially have remaining unpatched LPRng
installations (even if only for the next few days), BindView
recommends configuring Internet access equipment to block inbound TCP
connection attempts to port 515 on internal hosts. TCP port 515 is
used to connect to lpd for submission and management of print jobs;
TCP port 515 is also used by the exploit program. Depending on the
site, legitimate inbound TCP connections to port 515 either never
occur (the most common situation), or occur only for a small number of
destination hosts (known print servers). Blocking this port at a
firewall typically provides some protection against exploit attempts
with no or minimal disruption to the use of network print servers.

For Linux hosts that are running LPRng for its local printing
capabilities and are not network print servers, incoming TCP
connections to port 515 should be blocked using the ipchains facility.

Hosts that have already been compromised via this lpd vulnerability
may have syslog entries consisting of very long lines containing the
string "Dispatch_input: bad request line". On the compromised host
found, the /var/log/messages file showed over 600 connections to lpd
over a period of less than 6 minutes, with each connection logged as:

  Nov 19 ##:##:## hostname SERVER[#####]: Dispatch_input: bad request line

followed by a few hundred bytes of additional data. This additional
data was generated in part by the network input sent by the exploit
program, and in part by lpd expanding format strings (e.g., %s or %p)
contained in that network input. Because of this, the network input
cannot be unambiguously recovered from the syslog data. The syslog
lines typically ended with several dozen instances of "\220" (this is
the value of the i386 NOP, more commonly written as 0x90).

Linux systems that are running a vulnerable version of the LPRng lpd
and that have these syslog entries are very likely root compromised.
With the vulnerable version, a root compromise also may have occurred
without these syslog entries present, if syslog operations were not
working or if the log files were altered by the intruder.

BindView's vulnerability assessment product, bv-Control for Internet
Security (formerly named "HackerShield"), currently does not check for
LPRng vulnerabilities; however, we will be adding that check soon.

Matt Power
BindView Corporation - http://razor.bindview.com/

The address you post from MUST be your subscription address

If you need help, send email to majordomo@lprng.com (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body.  For the impatient,
to subscribe to a list with name LIST,  send mail to majordomo@lprng.com
with:                           | example:
subscribe LIST <mailaddr>       |  subscribe lprng-digest myname@host.org
unsubscribe LIST <mailaddr>     |  unsubscribe lprng myname@host.org

If you have major problems,  send email to papowell@astart.com with the word

----- End forwarded message -----

Craig Small VK2XLZ  GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.eye-net.com.au/        <csmall@eye-net.com.au>
MIEEE <csmall@ieee.org>                 Debian developer <csmall@debian.org>

Reply to: