From owner-freebsd-security  Mon Apr 20 10:58:32 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA24548
          for freebsd-security-outgoing; Mon, 20 Apr 1998 10:58:32 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA24441
          for <freebsd-security@freebsd.org>; Mon, 20 Apr 1998 17:58:03 GMT
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id NAA20113
	for <freebsd-security@freebsd.org>; Mon, 20 Apr 1998 13:57:42 -0400 (EDT)
Date: Mon, 20 Apr 1998 13:57:42 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert@cyrus.watson.org>
To: freebsd-security@FreeBSD.ORG
Subject: Nasty security hole in "lprm" (fwd)
Message-ID: <Pine.BSF.3.96.980420135732.20071A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk


Do we got this one?


  Robert N Watson 


----
Carnegie Mellon University  http://www.cmu.edu/
Trusted Information Systems http://www.tis.com/
SafePort Network Services   http://www.safeport.com/
robert@fledge.watson.org    http://www.watson.org/~robert/

---------- Forwarded message ----------
Date: Sat, 18 Apr 1998 15:42:11 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Nasty security hole in "lprm"

Hi,

I've found a local->root compromise in the lprm program, as shipped
RedHat4.2 and RedHat5.0. Other systems untested.

There is a prerequisite to exploiting this, that a remote printer be
defined (rm field).

If trying to remove entries from a remote queue, the args given are
basically strcat()'ed into a static buffer.

Thus:

lprm -Psome_remote `perl -e 'print "a" x 2000'`
Segmentation fault

gdb confirms the program is attempting to execute code at 0x41414141

Other potential problems include assumptions about host name max lengths,
dubious /etc/printcap parsing (but it seems user defined printcap files
are not allowed). There is also a blatant strcpy(buf, getenv("something"))
but luckily it is #ifdef'ed out. File/filename handling looks iffy at
times too.

It is scary that this was found in a mere 5 mins of auditing. I sincerely
beleieve the BSD line printer system has no place on a secure system. When
I get more time I might well look for other problems; I would not be
surprised to find some. The lpr package is in need of an audit. If the
great folks at OpenBSD have already done this, maybe others should nab
their source code :-)

Cheers
Chris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message