[1276] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Linux and lpd

daemon@ATHENA.MIT.EDU (Thomas Quinot)
Mon Oct 28 03:35:41 1996

From: thomas@cuivre.fdn.fr (Thomas Quinot)
Date: 26 Oct 1996 09:14:10 GMT
To: linux-security@tarsier.cv.nrao.edu

John Fulmer (jfulmer@blanket.com) =E9crit :

> Does anyone know of a hack against lpr/lpd on Slackware 3.0?

Yes. There is a buffer overflow condition in some BSD-derived
lpr implementation, whereby any user can gain root access. A path
was posted to bugtraq by Vadim Kolontsov :

-------------------------------------------------------------------------=
-

  Here is a little patch -- see file lpr.c, function card():
("!!" marks added lines)

-------------------------------------------------------------------------=
-
static void card(c, p2)
        register int c;
        register char *p2;
{
        char buf[BUFSIZ];
        register char *p1 =3D buf;
        register int len =3D 2;


        if (strlen(p2) > BUFSIZ-2)                     /* !! */
        {                                              /* !! */
                printf("No, thanks...\n");             /* !! */
                exit(1);                               /* !! */
        }
        *p1++ =3D c;
        while ((c =3D *p2++) !=3D '\0') {
                *p1++ =3D (c =3D=3D '\n') ? ' ' : c;
                len++;
        }
        *p1++ =3D '\n';
        write(tfd, buf, len);
}
-------------------------------------------------------------------------=
-

Details on the attack were posted in freebsd-security (BSD systems
also can be compromised).

You might also want to consider moving from BSD lpr to LPRng.

[REW: I'm getting flooded with messages claiming that this is new. I
distincly recall that I've seen this quite a while ago. (The timestamp
on the exploit I have is october first.) Anyway, here's a patch, and
for those that didn't know, your lpr might be vulnerable....]

--=20
      Thomas.Quinot@Cuivre.FdN.FR       <URL:http://Web.FdN.FR/~tquinot/>

home help back first fref pref prev next nref lref last post