Date: Mon, 20 Apr 1998 13:57:42 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: freebsd-security@FreeBSD.ORG Subject: Nasty security hole in "lprm" (fwd) Message-ID: <Pine.BSF.3.96.980420135732.20071A-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
Do we got this one? Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ ---------- Forwarded message ---------- Date: Sat, 18 Apr 1998 15:42:11 +0100 From: Chris Evans <chris@FERRET.LMH.OX.AC.UK> To: BUGTRAQ@NETSPACE.ORG Subject: Nasty security hole in "lprm" Hi, I've found a local->root compromise in the lprm program, as shipped RedHat4.2 and RedHat5.0. Other systems untested. There is a prerequisite to exploiting this, that a remote printer be defined (rm field). If trying to remove entries from a remote queue, the args given are basically strcat()'ed into a static buffer. Thus: lprm -Psome_remote `perl -e 'print "a" x 2000'` Segmentation fault gdb confirms the program is attempting to execute code at 0x41414141 Other potential problems include assumptions about host name max lengths, dubious /etc/printcap parsing (but it seems user defined printcap files are not allowed). There is also a blatant strcpy(buf, getenv("something")) but luckily it is #ifdef'ed out. File/filename handling looks iffy at times too. It is scary that this was found in a mere 5 mins of auditing. I sincerely beleieve the BSD line printer system has no place on a secure system. When I get more time I might well look for other problems; I would not be surprised to find some. The lpr package is in need of an audit. If the great folks at OpenBSD have already done this, maybe others should nab their source code :-) Cheers Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980420135732.20071A-100000>