From owner-freebsd-security Mon Apr 20 11:59:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA07400 for freebsd-security-outgoing; Mon, 20 Apr 1998 11:39:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07215 for ; Mon, 20 Apr 1998 18:38:34 GMT (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id LAA22195; (8.8.8/RDY) Mon, 20 Apr 1998 11:38:19 -0700 (PDT) Message-Id: <199804201838.LAA22195@burka.rdy.com> Subject: Re: Nasty security hole in "lprm" (fwd) In-Reply-To: from Robert Watson at "Apr 20, 98 01:57:42 pm" To: robert@cyrus.watson.org Date: Mon, 20 Apr 1998 11:38:19 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk It's being fixed for ages. Robert Watson writes: > > Do we got this one? > > > Robert N Watson > > > ---- > Carnegie Mellon University http://www.cmu.edu/ > Trusted Information Systems http://www.tis.com/ > SafePort Network Services http://www.safeport.com/ > robert@fledge.watson.org http://www.watson.org/~robert/ > > ---------- Forwarded message ---------- > Date: Sat, 18 Apr 1998 15:42:11 +0100 > From: Chris Evans > To: BUGTRAQ@NETSPACE.ORG > Subject: Nasty security hole in "lprm" > > Hi, > > I've found a local->root compromise in the lprm program, as shipped > RedHat4.2 and RedHat5.0. Other systems untested. > > There is a prerequisite to exploiting this, that a remote printer be > defined (rm field). > > If trying to remove entries from a remote queue, the args given are > basically strcat()'ed into a static buffer. > > Thus: > > lprm -Psome_remote `perl -e 'print "a" x 2000'` > Segmentation fault > > gdb confirms the program is attempting to execute code at 0x41414141 > > Other potential problems include assumptions about host name max lengths, > dubious /etc/printcap parsing (but it seems user defined printcap files > are not allowed). There is also a blatant strcpy(buf, getenv("something")) > but luckily it is #ifdef'ed out. File/filename handling looks iffy at > times too. > > It is scary that this was found in a mere 5 mins of auditing. I sincerely > beleieve the BSD line printer system has no place on a secure system. When > I get more time I might well look for other problems; I would not be > surprised to find some. The lpr package is in need of an audit. If the > great folks at OpenBSD have already done this, maybe others should nab > their source code :-) > > Cheers > Chris > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message