||||
Symantec.com > Business > Security Response > Attack Signatures > Linux LPRng Format String Root
PRINT THIS PAGE

Linux LPRng Format String Root

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects the attempt to obtain root through the Berkeley LPR print spooler. This exploit is considered to be part of the Ramen and ADORE Internet Worms.

Additional Information

LPRng is an implementation of the Berkeley lpr print spooling utility.

LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers. In testing this has been exploited to remotely elevate privileges.

This vulnerability was tested on RedHat 7.0. Earlier versions are likely also be vulnerable, as well as other operating systems which ship with LPRng.

(Please see http://www.redhat.com/support/errata/RHSA-2000-065-06.html for links to updated i386 and source packages.)

Affected

  • Caldera OpenLinux Desktop 2.3
  • Caldera OpenLinux eBuilder 3.0
  • RedHat Linux 7.0
  • SCO eDesktop 2.4
  • SCO eServer 2.3
  • Trustix Trustix Secure Linux 1.0, 1.1

Response

OpenLinux Desktop 2.3
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

3ad5e8e8ab42d2ed1cce0627ca2a0f45 RPMS/LPRng-3.5.3-3.i386.rpm
61f4d3aef6757c68ba73cc1cc8bbcf27 RPMS/LPRng-doc-3.5.3-3.i386.rpm
ebd7e8ec09ef4d92397f608b1125ff82 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
c53c9a83c0791030297b6079d7b9fcd9 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm

OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
9cb7089adcadcf29ee2cb8268acc46c1 RPMS/LPRng-3.5.3-3.i386.rpm
77e9edbf336837a9957c3fc62167aee4 RPMS/LPRng-doc-3.5.3-3.i386.rpm
558a98c48558538bc15f86ca9a555e68 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
62c39c60197447be1b4de85f81bcd5a0 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm

OpenLinux eDesktop 2.4
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

7ec1973e306bbcaa3e27b770b463e6fe RPMS/LPRng-3.5.3-3.i386.rpm
f373e0a2389c64e207b84293d2afc177 RPMS/LPRng-doc-3.5.3-3.i386.rpm
4560b0415dc7dbf7bde284173a49c6f6 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
994f2204ba1e743725fe69cecb47dac5 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm

Users of Trustix Linux 1.1 should download a new version of LPRng available at:

Secure Linux: How to download
or:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/

Filename:

* LPRng-3.6.24-1tr.i586.rpm


Trustix Trustix Secure Linux 1.0:
Trustix RPM nfs-utils-0.1.9.1-1tr.i586.rpm
Trustix RPM dump-0.4b19-2tr.i586.rpm
Trustix RPM rmt-0.4b19-2tr.i586.rpm
Trustix RPM openssh-2.3.0p1-1tr.i586.rpm
Trustix RPM openssh-clients-2.3.0p1-1tr.i586.rpm
Trustix RPM openssh-server-2.3.0p1-1tr.i586.rpm
Trustix RPM bind-8.2.2_P7-2tr.i586.rpm
Trustix RPM bind-devel-8.2.2_P7-2tr.i586.rpm
Trustix RPM bind-utils-8.2.2_P7-2tr.i586.rpm
Trustix RPM 1.0/1.1 LPRng-3.6.24-1tr.i586.rpm

Trustix Trustix Secure Linux 1.1:
Trustix RPM nfs-utils-0.1.9.1-1tr.i586.rpm
Trustix RPM apache-ssl-1.3.12_1.39-7tr.i586.rpm
Trustix RPM apache-ssl-1.3.12_1.39-7tr.src.rpm
Trustix RPM mailx-8.1.1-16.i586
Trustix RPM perl-5.00503-10tr.i586
Trustix RPM dump-0.4b19-2tr.i586.rpm
Trustix RPM rmt-0.4b19-2tr.i586.rpm
Trustix RPM openssh-2.3.0p1-1tr.i586.rpm
Trustix RPM openssh-clients-2.3.0p1-1tr.i586.rpm
Trustix RPM openssh-server-2.3.0p1-1tr.i586.rpm
Trustix RPM bind-8.2.2_P7-2tr.i586.rpm
Trustix RPM bind-devel-8.2.2_P7-2tr.i586.rpm
Trustix RPM bind-utils-8.2.2_P7-2tr.i586.rpm
Trustix RPM 1.0/1.1 LPRng-3.6.24-1tr.i586.rpm

SCO eServer 2.3:
Caldera RPM eServer 2.3: gpm-1.17.8-5
RPM eServer xpdf-0.91-3.i386
Caldera RPM eServer 2.3 bind-doc-8.2.2p7-1.i386.rpm
Caldera RPM eServer 2.3 bind-utils-8.2.2p7-1.i386.rpm
Caldera RPM eServer 2.3 bind-8.2.2p7-1.src.rpm
Caldera RPM eServer 2.3 bash-1.14.7-14.i386.rpm
Caldera RPM eServer 2.3 mgetty-1.1.22_Aug17-9.i386.rpm
Caldera RPM eDesktop 2.4 current LPRng-3.5.3-3.i386.rpm
Caldera RPM eServer 2.3/ eBuilder 3.0 current LPRng-3.5.3-3.i386.rpm

SCO eDesktop 2.4:
Helix Code Upgrade Caldera eDesktop 2.4: helix-update-0.6-0_helix_2
Caldera RPM eDesktop 2.4 bind-8.2.2p7-1.i386.rpm
Caldera RPM eDesktop 2.4 bind-doc-8.2.2p7-1.i386.rpm
Caldera RPM eDesktop 2.4 bind-utils-8.2.2p7-1.i386.rpm
Caldera RPM eDesktop 2.4 bind-8.2.2p7-1.src.rpm
Caldera RPM eDesktop 2.4 bash-1.14.7-14.i386.rpm
Caldera RPM eDesktop 2.4 mgetty-1.1.22_Aug17-9.i386.rpm
Caldera RPM eDesktop 2.4 dhcp-2.0b1pl29-2.i386.rpm
Caldera RPM eDesktop 2.4 mailx-8.1.1-12.i386.rpm
Caldera RPM eDesktop 2.4 vim-5.7-12.i386.rpm
Caldera RPM eDesktop 2.4 vim-X11-5.7-12.i386.rpm
Caldera RPM eDesktop 2.4 vim-help-5.7-12.i386.rpm
Caldera RPM eDesktop 2.4 samba-2.0.6-3.i386.rpm
Caldera RPM eDesktop 2.4 samba-doc-2.0.6-3.i386.rpm
Caldera RPM eDesktop 2.4 smbfs-2.0.6-3.i386.rpm
Caldera RPM eDesktop 2.4 swat-2.0.6-3.i386.rpm
Caldera RPM mutt-1.2.5-12.i386

Caldera OpenLinux Desktop 2.3:
Caldera RPM OpenLinux Desktop 2.3 bind-8.2.2p7-1.i386.rpm
Caldera RPM OpenLinux Desktop 2.3 bind-doc-8.2.2p7-1.i386.rpm
Caldera RPM OpenLinux Desktop 2.3 bind-utils-8.2.2p7-1.i386.rpm
Caldera RPM OpenLinux Desktop 2.3 bind-8.2.2p7-1.src.rpm
Caldera RPM ghostscript-5.10-16
Caldera RPM ghostscript-doc-5.10-16
Caldera RPM ghostscript-fonts-5.10-16
Caldera RPM Desktop 2.3 bash-1.14.7-14.i386.rpm
Caldera RPM OpenLinux Desktop 2.3 mgetty-1.1.22_Aug17-9.i386.rpm
Caldera RPM OpenLinux Desktop 2.3 dhcpd-1.0pl2-4.i386.rpm

Caldera OpenLinux eBuilder 3.0:
RPM eServer xpdf-0.91-3.i386
Caldera RPM eDesktop 2.4 current LPRng-3.5.3-3.i386.rpm
Caldera RPM eServer 2.3/ eBuilder 3.0 current LPRng-3.5.3-3.i386.rpm
Caldera RPM webmin-0.749-5.i386.rpm
Caldera RPM mutt-1.2.5-12.i386

RedHat Linux 7.0:
Red Hat Inc. RPM 7.0 i386 iputils-20001010-1.i386.rpm
OpenBSD Upgrade openssh-2.3.0p1.tar.gz
Red Hat Inc. RPM 7.0 i386 ncurses-5.2-2.i386.rpm
Red Hat Inc. RPM 7.0 i386 ncurses-devel-5.2-2.i386.rpm
Red Hat Inc. RPM 7.0 alpha ncurses-5.2-2.alpha.rpm
Red Hat Inc. RPM 7.0 alpha ncurses-devel-5.2-2.alpha.rpm
RedHat RPM 7.0 i386 LPRng-3.6.24-2.i386.rpm
Red Hat RPM 7.0 source gftp-2.0.8-1.src.rpm
RedHat RPM 7.0 alpha man-1.5i-4.alpha.rpm
RedHat RPM 7.0 i386 man-1.5i-4.i386.rpm
Red Hat RPM 7.0 alpha openssh-2.9p2-10.7.alpha.rpm
Red Hat RPM 7.0 alpha openssh-askpass-2.9p2-10.7.alpha.rpm
Red Hat RPM 7.0 alpha openssh-askpass-gnome-2.9p2-10.7.alpha.rpm
Red Hat RPM 7.0 alpha openssh-clients-2.9p2-10.7.alpha.rpm
Red Hat RPM 7.0 alpha openssh-server-2.9p2-10.7.alpha.rpm
Red Hat RPM 7.0 i386 openssh-2.9p2-10.7.i386.rpm
Red Hat RPM 7.0 i386 openssh-askpass-2.9p2-10.7.i386.rpm
Red Hat RPM 7.0 i386 openssh-askpass-gnome-2.9p2-10.7.i386.rpm
Red Hat RPM 7.0 i386 openssh-clients-2.9p2-10.7.i386.rpm
Red Hat RPM 7.0 i386 openssh-server-2.9p2-10.7.i386.rpm
Red Hat RPM 7.0 alpha openssh-2.9p2-10.7.alpha.rpm
Red Hat RPM util-linux-2.10m-12.7.0.i386.rpm
Red Hat RPM util-linux-2.10m-12.7.0.src.rpm
RedHat Upgrade tetex-1.0.7-8.3.src.rpm
RedHat RPM ypserv-2.5-2.7x.i386.rpm
RedHat RPM ypserv-2.5-2.7x.alpha.rpm
Red Hat Upgrade glibc-2.2.4-18.7.0.9.i386.rpm
Red Hat Upgrade glibc-common-2.2.4-18.7.0.9.i386.rpm
Red Hat Upgrade glibc-devel-2.2.4-18.7.0.9.i386.rpm
Red Hat Upgrade glibc-profile-2.2.4-18.7.0.9.i386.rpm
Red Hat Upgrade nscd-2.2.4-18.7.0.9.i386.rpm

Possible False Positives

There are no known false positives associated with this signature.

Additional References



©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS