From owner-freebsd-security Fri Oct 3 07:39:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA17961 for security-outgoing; Fri, 3 Oct 1997 07:39:27 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id HAA17918; Fri, 3 Oct 1997 07:38:56 -0700 (PDT) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0xH8sK-0000hX-00; Fri, 3 Oct 1997 08:38:40 -0600 Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.8.7/8.8.3) with ESMTP id IAA09461; Fri, 3 Oct 1997 08:39:44 -0600 (MDT) Message-Id: <199710031439.IAA09461@harmony.village.org> To: Cy Schubert - ITSD Open Systems Group Subject: Re: Possible weakness in LPD protocol Cc: security-officer@freebsd.org, freebsd-security@freebsd.org, bugtraq@netspace.org In-reply-to: Your message of "Thu, 02 Oct 1997 15:15:13 PDT." <199710022215.PAA04012@cwsys.cwent.com> References: <199710022215.PAA04012@cwsys.cwent.com> Date: Fri, 03 Oct 1997 08:39:44 -0600 From: Warner Losh Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk : SOLUTIONS ??? : These holes are due to the implementation of the lpr protocol and the : fact that lpd runs as root. I am sure that there may be many solutions : to this, but At first glance I think that by checking for a '/' in the : filenames would cause the program to react when someone tries to print : files from outside of the queue directory. Both OpenBSD and FreeBSD disallow any files with / in them in the code that was quoted. So this isn't a problem in either of those systems. I don't have a current NetBSD source tree online at the moment, or I'd check there. The following csh code while (1) mail blah blah blah end allows effective mail bombing as well. And if you control root for the machine in question, you can use sendmail to forge the mail from any address that you want. And even if you aren't effective mail forging programs are a dime a dozen and are more general in their damage. What is the threat here? Warner