Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 03 Oct 1997 08:39:44 -0600
From:      Warner Losh <imp@village.org>
To:        Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Cc:        security-officer@freebsd.org, freebsd-security@freebsd.org, bugtraq@netspace.org
Subject:   Re: Possible weakness in LPD protocol 
Message-ID:  <199710031439.IAA09461@harmony.village.org>
In-Reply-To: Your message of "Thu, 02 Oct 1997 15:15:13 PDT." <199710022215.PAA04012@cwsys.cwent.com> 
References:  <199710022215.PAA04012@cwsys.cwent.com>  

next in thread | previous in thread | raw e-mail | index | archive | help
: SOLUTIONS ???
: These holes are due to the implementation of the lpr protocol and the
: fact that lpd runs as root.  I am sure that there may be many solutions
: to this, but At first glance I think that by checking for a '/' in the
: filenames would cause the program to react when someone tries to print
: files from outside of the queue directory.

Both OpenBSD and FreeBSD disallow any files with / in them in the code
that was quoted.  So this isn't a problem in either of those systems.
I don't have a current NetBSD source tree online at the moment, or I'd
check there.

The following csh code
	while (1)
		mail blah blah blah
	end
allows effective mail bombing as well.  And if you control root for
the machine in question, you can use sendmail to forge the mail from
any address that you want.  And even if you aren't effective mail
forging programs are a dime a dozen and are more general in their
damage.  What is the threat here?

Warner



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710031439.IAA09461>