Date: Wed, 5 Mar 1997 14:08:16 -0500 (EST) From: Sire Lancelot du Lac <lancelot@snail.slow.net> To: freebsd-security@freebsd.org Subject: FreeBSD lpd Security Vulnerability (fwd) Message-ID: <Pine.BSF.3.91.970305140805.16934B-100000@snail.slow.net>
next in thread | raw e-mail | index | archive | help
Christian Doucet lancelot@slow.net work: +1 514 728 1618 Freelance "Sysadmin-Programmer-UNIX-Internet" guru! home: +1 514 728 1618 Y'a rien de plus troublant qu'un trou noir. -- Sol (Marc Favreau) This sentance has threee errors. -- trurl@yakko.nceye.net This sentence no verb. -- someone The answer to life, the universe and sendmail is 25 -- chimmy@knott12.ncl.ac.uk ---------- Forwarded message ---------- Date: Wed, 5 Mar 1997 00:32:02 -0700 From: Oliver Friedrichs <oliver@SECNET.COM> To: BUGTRAQ@NETSPACE.ORG Subject: FreeBSD lpd Security Vulnerability ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory March 5, 1997 FreeBSD lpd Security Vulnerability There is a serious security vulnerability in all FreeBSD lpd implementations This vulnerability allows remote users to gain unauthorized root access to any system allowing connections to the line printer daemon (lpd). A user is not required to be in lpd's access list (/etc/hosts.lpd) to exploit this vulnerability, as the problem occurs while lpd is attempting to determine whether the host is permitted to connect. Problem Description ~~~~~~~~~~~~~~~~~~~ The vulnerability is present in the source file lib/libc/net/rcmd.c, which contains the function __ivaliduser(). This function is used by the line printer daemon (lpd) to determine whether the user connecting to the daemon is in it's access list (contained in /etc/hosts.lpd). When performing a domain name lookup on the connecting IP address, the resulting response is copied into a fixed size buffer of size MAXHOSTNAMELEN (256 bytes). Since DNS responses containing a hostname and domain name are currently allowed to exceed 256 bytes, overflow can occur. The faulty code follows: if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); strcpy(hname, hp->h_name); The string copy is done without any bounds checking. Corrected code looks as follows: if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); strncpy(hname, hp->h_name, sizeof(hname)); hname[sizeof(hname)-1] = '\0'; Vulnerable Systems ~~~~~~~~~~~~~~~~~~ This security vulnerability only applies to the FreeBSD operating system. FreeBSD 2.1.5 is vulnerable FreeBSD 2.1.6 is vulnerable FreeBSD 2.1.7 is vulnerable FreeBSD 2.2 Gamma is vulnerable FreeBSD 2.2 is not vulnerable FreeBSD -current is vulnerable for dates prior to February 25, 1997 Corrected in -current, and -stable as of February 25, 1997. Workaround ~~~~~~~~~~ If the system in question does not require the use of printing services, lpd should be removed or commented out from the system startup file /etc/rc. If you require the use of printing services, this vulnerability can be fixed by applying the following patch to lib/libc/net/rcmd.c. This patch has been known to apply to all FreeBSD 2.x systems. --- CUT HERE --- *** libc/lib/net/rcmd.c.old Tue Feb 25 15:33:42 1997 --- libc/lib/net/rcmd.c Tue Feb 25 15:33:56 1997 *************** *** 377,383 **** if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); ! strcpy(hname, hp->h_name); while (fgets(buf, sizeof(buf), hostf)) { p = buf; --- 377,384 ---- if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); ! strncpy(hname, hp->h_name, sizeof(hname)); ! hname[sizeof(hname)-1] = '\0'; while (fgets(buf, sizeof(buf), hostf)) { p = buf; --- CUT HERE --- At this point, libc will have to be recompiled. lpd is shipped dynamically linked under FreeBSD, therefore the fix will take effect without recompiling lpd itself. Attributions ~~~~~~~~~~~~ Information about FreeBSD can be found at http://www.freebsd.org You can contact the author of this advisory at oliver@secnet.com Type Bits/KeyID Date User ID pub 1024/0E7BBA7D 1996/09/18 Oliver Friedrichs <oliver@secnet.com> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1 A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8 45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8= =xq4f -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970305140805.16934B-100000>