Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Apr 1998 11:38:19 -0700 (PDT)
From:      dima@best.net (Dima Ruban)
To:        robert@cyrus.watson.org
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Nasty security hole in "lprm" (fwd)
Message-ID:  <199804201838.LAA22195@burka.rdy.com>
In-Reply-To: <Pine.BSF.3.96.980420135732.20071A-100000@fledge.watson.org> from Robert Watson at "Apr 20, 98 01:57:42 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
It's being fixed for ages.

Robert Watson writes:
> 
> Do we got this one?
> 
> 
>   Robert N Watson 
> 
> 
> ----
> Carnegie Mellon University  http://www.cmu.edu/
> Trusted Information Systems http://www.tis.com/
> SafePort Network Services   http://www.safeport.com/
> robert@fledge.watson.org    http://www.watson.org/~robert/
> 
> ---------- Forwarded message ----------
> Date: Sat, 18 Apr 1998 15:42:11 +0100
> From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Nasty security hole in "lprm"
> 
> Hi,
> 
> I've found a local->root compromise in the lprm program, as shipped
> RedHat4.2 and RedHat5.0. Other systems untested.
> 
> There is a prerequisite to exploiting this, that a remote printer be
> defined (rm field).
> 
> If trying to remove entries from a remote queue, the args given are
> basically strcat()'ed into a static buffer.
> 
> Thus:
> 
> lprm -Psome_remote `perl -e 'print "a" x 2000'`
> Segmentation fault
> 
> gdb confirms the program is attempting to execute code at 0x41414141
> 
> Other potential problems include assumptions about host name max lengths,
> dubious /etc/printcap parsing (but it seems user defined printcap files
> are not allowed). There is also a blatant strcpy(buf, getenv("something"))
> but luckily it is #ifdef'ed out. File/filename handling looks iffy at
> times too.
> 
> It is scary that this was found in a mere 5 mins of auditing. I sincerely
> beleieve the BSD line printer system has no place on a secure system. When
> I get more time I might well look for other problems; I would not be
> surprised to find some. The lpr package is in need of an audit. If the
> great folks at OpenBSD have already done this, maybe others should nab
> their source code :-)
> 
> Cheers
> Chris
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
> 

-- dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804201838.LAA22195>