Date: Fri, 03 Oct 1997 08:39:44 -0600 From: Warner Losh <imp@village.org> To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Cc: security-officer@freebsd.org, freebsd-security@freebsd.org, bugtraq@netspace.org Subject: Re: Possible weakness in LPD protocol Message-ID: <199710031439.IAA09461@harmony.village.org> In-Reply-To: Your message of "Thu, 02 Oct 1997 15:15:13 PDT." <199710022215.PAA04012@cwsys.cwent.com> References: <199710022215.PAA04012@cwsys.cwent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
: SOLUTIONS ??? : These holes are due to the implementation of the lpr protocol and the : fact that lpd runs as root. I am sure that there may be many solutions : to this, but At first glance I think that by checking for a '/' in the : filenames would cause the program to react when someone tries to print : files from outside of the queue directory. Both OpenBSD and FreeBSD disallow any files with / in them in the code that was quoted. So this isn't a problem in either of those systems. I don't have a current NetBSD source tree online at the moment, or I'd check there. The following csh code while (1) mail blah blah blah end allows effective mail bombing as well. And if you control root for the machine in question, you can use sendmail to forge the mail from any address that you want. And even if you aren't effective mail forging programs are a dime a dozen and are more general in their damage. What is the threat here? Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710031439.IAA09461>