CVE-1999-0032
published 1996-10-25CVE-1999-0032: Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification)…
PriorityP423high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.00%
58.4th percentile
Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bsdi | bsd_os | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| next | nextstep | — | — |
| next | nextstep | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sgi | irix | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j5x2-76rq-wcfx: Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classificati
ghsa_unreviewed·2022-05-03
CVE-1999-0032 [HIGH] GHSA-j5x2-76rq-wcfx: Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classificati
Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.
GHSA
GHSA-5jj5-vh28-7x64: DEPRECATED
ghsa_unreviewed·2022-04-30·CVSS 7.2
CVE-1999-0335 [HIGH] GHSA-5jj5-vh28-7x64: DEPRECATED
DEPRECATED. This entry has been deprecated. It is a duplicate of CVE-1999-0032.
No detection rules found.
Exploit-DB
BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (1)
exploitdb·1996-10-25
CVE-1999-0335 BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (1)
BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (1)
---
/*
source: https://www.securityfocus.com/bid/707/info
BSD/OS 2.1,FreeBSD 2.1.5,NeXTstep 4.0/4.1,SGI IRIX 6.4,SunOS 4.1.3/4.1.4 lpr Buffer Overrun Vulnerability (1)
Due to insufficient bounds checking on arguments (in this case -C) which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges.
*/
#include
#include
#include
#define DEFAULT_OFFSET 50
#
Exploit-DB
BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - '/usr/bin/lpr' Buffer Overrun Privilege Escalation (2)
exploitdb·1996-10-25
CVE-1999-0335 BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - '/usr/bin/lpr' Buffer Overrun Privilege Escalation (2)
BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - '/usr/bin/lpr' Buffer Overrun Privilege Escalation (2)
---
/*
source: https://www.securityfocus.com/bid/707/info
Due to insufficient bounds checking on arguments (in this case -C) which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges.
*/
#include
#include
#include
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
void
No writeups or analysis indexed.
ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PXhttp://www.ciac.org/ciac/bulletins/i-042.shtmlhttp://www.securityfocus.com/bid/707ftp://patches.sgi.com/support/free/security/advisories/19980402-01-PXhttp://www.ciac.org/ciac/bulletins/i-042.shtmlhttp://www.securityfocus.com/bid/707
1996-10-25
Published