From owner-freebsd-security Thu Oct 2 16:26:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA00995 for security-outgoing; Thu, 2 Oct 1997 16:26:33 -0700 (PDT) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA00964; Thu, 2 Oct 1997 16:25:48 -0700 (PDT) Received: by burka.rdy.com id QAA13494; (8.8.7/RDY) Thu, 2 Oct 1997 16:25:11 -0700 (PDT) Message-Id: <199710022325.QAA13494@burka.rdy.com> Subject: Re: Possible weakness in LPD protocol In-Reply-To: <199710022215.PAA04012@cwsys.cwent.com> from Cy Schubert - ITSD Open Systems Group at "Oct 2, 97 03:15:13 pm" To: cschuber@uumail.gov.bc.ca Date: Thu, 2 Oct 1997 16:25:10 -0700 (PDT) Cc: security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Yup. And lpd is turned on by default :-/ Cy Schubert - ITSD Open Systems Group writes: > Here's an interesting read that was sent to me via BUGTRAQ. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > UNIX Support OV/VM: BCSC02(CSCHUBER) > ITSD BITNET: CSCHUBER@BCSC02.BITNET > Government of BC Internet: cschuber@uumail.gov.bc.ca > Cy.Schubert@gems8.gov.bc.ca > > "Quit spooling around, JES do it." > > > ------- Forwarded Message > > Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.7/8.6.10) id OAA12179; Thu, 2 Oct 1997 14:57:54 -0700 (PDT) > X-UIDL: 875829610.036 > Resent-Message-Id: <199710022157.OAA12179@passer.osg.gov.bc.ca> > Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" > via SMTP by localhost, id smtpdaagyea; Thu Oct 2 14:57:47 1997 > Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.7/8.6.10) id OAA11672 for ; Thu, 2 Oct 1997 14:57:44 -0700 (PDT) > Received: from orca.gov.bc.ca(142.32.102.25) > via SMTP by passer.osg.gov.bc.ca, id smtpdaamfba; Thu Oct 2 14:57:36 1997 > Received: from brimstone.netspace.org by orca.gov.bc.ca (5.4R3.10/200.1.1.4) > id AA18721; Thu, 2 Oct 1997 14:57:33 -0700 > Received: from unknown@netspace.org (port 27910 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <79891-2107>; Thu, 2 Oct 1997 17:29:10 -0400 > Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with > spool id 4929228 for BUGTRAQ@NETSPACE.ORG; Thu, 2 Oct 1997 17:25:07 > -0400 > Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by > netspace.org (8.8.7/8.8.2) with ESMTP id RAA21844 for > ; Thu, 2 Oct 1997 17:24:41 -0400 > Received: from unknown@netspace.org (port 27910 [128.148.157.6]) by > brimstone.netspace.org with ESMTP id <23487-2103>; Thu, 2 Oct 1997 > 17:24:17 -0400 > Approved-By: aleph1@UNDERGROUND.ORG > Received: from mail.redrose.net (mail.redrose.net [204.249.184.22]) by > netspace.org (8.8.7/8.8.2) with SMTP id QAA18725 for > ; Thu, 2 Oct 1997 16:58:36 -0400 > Received: (qmail 27015 invoked from network); 2 Oct 1997 20:58:11 -0000 > Received: from e1-10.redrose.net (HELO kensei.fspi.com) (205.246.85.42) by > mail.redrose.net with SMTP; 2 Oct 1997 20:58:11 -0000 > X-Mailer: Mozilla 3.01 (Win95; I) > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > Message-Id: <34340AEE.5395@redrose.net> > Date: Thu, 2 Oct 1997 16:58:23 -0400 > Reply-To: a42n8k9@**no-spam**.redrose.net > Sender: Bugtraq List > From: Bennett Samowich > Organization: Four Seasons Produce Inc. > Subject: Possible weakness in LPD protocol > To: BUGTRAQ@netspace.org > Resent-To: cy@passer.osg.gov.bc.ca, pblake@uumail.gov.bc.ca > Resent-Date: Thu, 02 Oct 1997 14:57:46 -0700 > Resent-From: Cy Schubert - ITSD Open Systems Group > > Greetings, > > This may be old news, but here it is anyway... > > While working of a port of "lpr/lpd" to Windows95 I noticed some > weaknesses in the implementation of the LPR protocol. Mostly it > appears to affect BSD based UNIX's. I found it using the source for > BSD4.4, and tested it on "Linux Slackware 2.2.0". I have also tested it > on AIX 4.1.5 and it seems to be OK. Unfortunately, (or Fortunately > depending on how you look at it), I only have access to these two > operating systems. > > Explaining this assumes that you are familiar with [RFC-1179 Line Pinter > Daemon Protocol]. If you are not familiar or have not read it, it may > be obtained via FTP from ftp://nic.ddn.mil/rfc/rfc1179.txt > > The possibilities are as follows: > 1.) Obtaining hard (or possibly soft) copies of any file on the system. > 2.) Deleting any file on the system. > 3.) Creating a file on the system. > 4.) Mail bombing. > > There are a few requirements that need to be met in order to perform > these actions. > 1.) Must be 'root' on the source machine. > NOTE: Under Windows95 the user already has 'root' status. This means > that anyone on a Win95 box > can bind network sockets to the reserved ports. > 2.) Must have or obtain permission to print to the target machine. > Usually machines on the same network will have permission to print to > each other, but that may not always be the case. > 3.) Must have or obtain access to the target printer. Otherwise how > will you get your printout? > > HOW IT WORKS... > > When lpd sends a file to a remote machine it creates a control file used > to instruct the remote machine on how to process the incoming print > job. These commands are outlined in [RFC-1179]. It is the > implementation of the control commands that provide the weakness. > > 1.) Obtaining hard (or possibly soft) copies of any file on the system. > The control command 'f' causes a file to be printed as text. > > The syntax is: f filename [LF] > > Therefore, by inserting the line: "f/etc/shadow" into the control file > you will cause the > Shadow password file to be printed. (Hard copy) > > If the print queue points to a network printer then it would be possible > to capture the packets. (Soft copy) > > 2.) Delete any file on the system. > The control command 'U' instructs the remote machine to "unlink" the > file upon completion of the job. > > The syntax is: U filename [LF] > > Therefore, by inserting the line: "U/vmlinuz" into the control file you > will cause the Linux kernel to be > removed from the file system. > > 3.) Create a file on the remote system. > This is a little trickier, in that BSD4.4 takes the filename that you > specify and appends its view of the calling machine's hostname to it. > However, BSD4.4 starts at the sixth character. > > The syntax is 2 size [SP] filename [LF]. Where '2' is the octet 2 not > the character, size is the size of the file in bytes, filename is ... > (DUH). > > - - From RECVJOB.C > case '\2': /* read cf file */ > size = 0; > while (*cp >= '0' && *cp <= '9') > size = size * 10 + (*cp++ - '0'); > if (*cp++ != ' ') > break; > /* > * host name has been authenticated, we use our > * view of the host name since we may be passed > * something different than what gethostbyaddr() > * returns > */ > HERE -----------> strcpy(cp + 6, from); > strcpy(tfname, cp); > tfname[0] = 't'; > if (!chksize(size)) { > (void) write(1, "\2", 1); > continue; > } > if (!readfile(tfname, size)) { > rcleanup(0); > continue; > } > if (link(tfname, cp) < 0) > frecverr("%s: %m", tfname); > (void) unlink(tfname); > tfname[0] = '\0'; > nfiles++; > continue; > > > The result is this: > > /rc becomes /rc > /etc/passwd becomes /etc/passwd.www.yourhost.com > > This is accomplished by using the printer command of '2' (receive > control file) > > Therefore by sending the printer command '2/rc' and then sending our > file, we have created a file in the root directory called 'rc'. > By sending '2/home/yourfriend/somefile' and the your file you will have > sent somefile to yourfriend ... and even put it in their home > directory. Of course it will have the name somefile.www.yourhost.com, > but he got it none the less. > > 4.) Mail bombing. > The control command 'M' instructs lpd to mail the user when the job is > finished. > > The syntax is: M username [LF] > > Therefore by adding the line: "Mjoeuser@www.somewhere.com" you will > cause joeuser to receive mail notification about the print job. By > adding several thousand of these lines, well you get the idea. > > > SOLUTIONS ??? > These holes are due to the implementation of the lpr protocol and the > fact that lpd runs as root. I am sure that there may be many solutions > to this, but At first glance I think that by checking for a '/' in the > filenames would cause the program to react when someone tries to print > files from outside of the queue directory. > > As far as the mail bomb, maybe by checking the destination host with > lpd's view of the caller, but that wouldn't allow for someone to print > from one account and get the mail at another. IE the boss getting > notices when the report is finished. > > Let me know if I have miss-stated something. > > Bennett > > > ------- End of Forwarded Message > -- dima