Results 1 to 6 of 6

Thread: lpd exploit (Solaris)

  1. #1
    Junior Member
    Join Date
    Aug 2001
    Posts
    3

    Question lpd exploit (Solaris)

    There seems to be a clever lpd exploit around which works at least on solaris.
    It seems to work on to phases.
    First it misuses local mail to listen on port 1524 using a special mail.cf and then it installs a shell listening on port 37777.
    It needs an active cc.
    Does somebody know something about it, is the code known?

  2. #2
    sorry I don't think the code is known, but it's worth checking out. I'll let you know if I find somthing.

  3. #3
    Junior Member
    Join Date
    Dec 2001
    Posts
    6
    Unfortunately lpd exploits have plagued the Unix world for decades. They come in a variety of delivery methods and have targeted specific versions and implemenations over the years. I believe Red Hat had the nastiest one a couple of years ago.

    My particular issue with Solaris has always been that they are about as slow as MS in fixing/patching such problems. Don't get me wrong, Solaris is an outstanding OS. I choose to use Linux and FreeBSD though because being a security concious guy, the mainatainers and 3rd party solution providers are more on top of the issues as they happen. Less than two hours for the patch to the Linux kernel that prevented the receipt of a `ping of death' attack (packet greater than 65536 bytes).
    unNamed-Player

  4. #4
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    blame BSD for the LPD problems....its their system........
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #5
    Junior Member
    Join Date
    Aug 2001
    Posts
    3
    Originally posted by hogfly
    blame BSD for the LPD problems....its their system........
    The problem is, that it's not. Solaris made its
    own implementation of the lpd protocol. Therefore
    it seems to be still vulnerable, even after the
    BSD problem has been solved.
    According to our investigations it can be fooled by using a TAB to send a control file to sendmail. The crude solaris fix just translates SP into "_ ", instead of using a secure system call.
    I'll inform when we know more.

    -> It seems to be wise to protect solaris systems from access over port 515.

  6. #6
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    their own implementation yes...off of a BSD base.....but that isnt the point..

    this sounds very interesting, please do keep us informed, especially if it turns out to be substantial.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •