From owner-freebsd-questions Wed Oct 30 08:24:58 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA23537 for questions-outgoing; Wed, 30 Oct 1996 08:24:58 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA23436 for ; Wed, 30 Oct 1996 08:24:41 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.6.12/8.6.9) with SMTP id JAA12403 for ; Wed, 30 Oct 1996 09:23:45 -0600 Date: Wed, 30 Oct 1996 09:23:44 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: freebsd-questions@freebsd.org Subject: lpr hole Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, I recently found an exploit for lpr that will allow root access by anyone with an account on the system. As far as I know, this affects all FBSD. A temp fix is to chmod -s it, but I wonder if anyone has a patch for this. The exploit itself has been around for a while, but it seems to be resurfacing (as they always do) and coming into vogue... From what I gather it's some sort of race/overflow thing that makes lpr make you a nice little root owned SUID shell. I also have a few other little things I've found; is there any sort of security related list/archive for FBSD? CERT is so ridiculously behind on these things it's not even funny. Curious about security, Charles