Vulnerabilities > CVE-2000-0917

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

caldera

redhat

trustix

critical

nessus

exploit available

metasploit

NVD

Published: 2000-12-19

Updated: 2017-10-10

Summary

Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands.

Vulnerable Configurations

Part	Description	Count
Application	Caldera Caldera Openlinux Ebuilder 3.0	1
OS	Caldera Caldera Openlinux * Caldera Openlinux Edesktop 2.4 Caldera Openlinux Eserver 2.3	3
OS	Redhat Redhat Linux 7.0	1
OS	Trustix Trustix Secure Linux 1.0 Trustix Secure Linux 1.1	2

Exploit-Db

description	LPRng 3.6.22/23/24 Remote Root Exploit. CVE-2000-0917. Remote exploit for linux platform
id	EDB-ID:226
last seen	2016-01-31
modified	2000-12-11
published	2000-12-11
reporter	sk8
source	https://www.exploit-db.com/download/226/
title	LPRng 3.6.22/23/24 - Remote Root Exploit

description	LPRng (RedHat 7.0) lpd Remote Root Format String Exploit. CVE-2000-0917. Remote exploit for linux platform
id	EDB-ID:227
last seen	2016-01-31
modified	2000-12-11
published	2000-12-11
reporter	DiGiT
source	https://www.exploit-db.com/download/227/
title	LPRng RedHat 7.0 lpd Remote Root Format String Exploit

description	LPRng 3.6.24-1 Remote Root Exploit. CVE-2000-0917. Remote exploit for linux platform
id	EDB-ID:230
last seen	2016-01-31
modified	2000-12-15
published	2000-12-15
reporter	VeNoMouS
source	https://www.exploit-db.com/download/230/
title	LPRng 3.6.24-1 - Remote Root Exploit

description	LPRng use_syslog Remote Format String Vulnerability. CVE-2000-0917. Remote exploit for linux platform
id	EDB-ID:16842
last seen	2016-02-02
modified	2010-07-03
published	2010-07-03
reporter	metasploit
source	https://www.exploit-db.com/download/16842/
title	LPRng use_syslog Remote Format String Vulnerability

Metasploit

description	This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin".
id	MSF:EXPLOIT/LINUX/MISC/LPRNG_FORMAT_STRING
last seen	2020-05-22
modified	2017-07-24
published	2010-02-17
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 http://www.cert.org/advisories/CA-2000-22.html https://bugzilla.redhat.com/show_bug.cgi?id=17756
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/lprng_format_string.rb
title	LPRng use_syslog Remote Format String Vulnerability

Nessus

NASL family	Gain a shell remotely
NASL id	LPRNG.NASL
description	LPRng seems to be running on this port. Versions of LPRng prior to 3.6.24 are missing format string arguments in at least two calls to
last seen	2020-06-01
modified	2020-06-02
plugin id	10522
published	2000-10-01
reporter	This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10522
title	LPRng use_syslog() Remote Format String Arbitrary Command Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10522); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2000-0917"); script_bugtraq_id(1712); script_xref(name:"CERT", value:"382365"); script_name(english:"LPRng use_syslog() Remote Format String Arbitrary Command Execution"); script_summary(english:"Checks for a vulnerable version of LPRng"); script_set_attribute(attribute:"synopsis", value:"The remote print service is affected by format string vulnerabilities."); script_set_attribute(attribute:"description", value: "LPRng seems to be running on this port. Versions of LPRng prior to 3.6.24 are missing format string arguments in at least two calls to 'syslog()' that handle user-supplied input. Using specially crafted input with format strings, an unauthenticated, remote attacker may be able to leverage these issues to execute arbitrary code subject to the privileges under which the service operates, typically 'root'. Note that Nessus has not determined that the remote installation of LPRng is vulnerable, only that it is listening on this port."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Sep/432"); script_set_attribute(attribute:"solution", value:"Upgrade, if necessary, to LPRng version 3.6.25."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'LPRng use_syslog Remote Format String Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/10/01"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:caldera:openlinux_ebuilder"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_dependencie("find_service1.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports(515); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (get_port_state(515)) { soc = open_sock_tcp(515); if(soc) { snd = raw_string(9)+ string("lp") + raw_string(0x0A); send(socket:soc, data:snd); r = recv(socket:soc, length:1024); if("SPOOLCONTROL" >< r) { security_hole(515); } } }

Packetstorm

data source	https://packetstormsecurity.com/files/download/86422/lprng_format_string.rb.txt
id	PACKETSTORM:86422
last seen	2016-12-05
published	2010-02-17
reporter	jduck
source	https://packetstormsecurity.com/files/86422/LPRng-use_syslog-Remote-Format-String-Vulnerability.html
title	LPRng use_syslog Remote Format String Vulnerability

Redhat

advisories

rhsa

id	RHSA-2000:065

Vulnerabilities > CVE-2000-0917 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2000-0917"}]}

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

Redhat

References

Vulnerabilities > CVE-2000-0917