[1276] in linux-security and linux-alert archive
Re: [linux-security] Linux and lpd
daemon@ATHENA.MIT.EDU (Thomas Quinot)
Mon Oct 28 03:35:41 1996
From: thomas@cuivre.fdn.fr (Thomas Quinot)
Date: 26 Oct 1996 09:14:10 GMT
To: linux-security@tarsier.cv.nrao.edu
John Fulmer (jfulmer@blanket.com) =E9crit :
> Does anyone know of a hack against lpr/lpd on Slackware 3.0?
Yes. There is a buffer overflow condition in some BSD-derived
lpr implementation, whereby any user can gain root access. A path
was posted to bugtraq by Vadim Kolontsov :
-------------------------------------------------------------------------=
-
Here is a little patch -- see file lpr.c, function card():
("!!" marks added lines)
-------------------------------------------------------------------------=
-
static void card(c, p2)
register int c;
register char *p2;
{
char buf[BUFSIZ];
register char *p1 =3D buf;
register int len =3D 2;
if (strlen(p2) > BUFSIZ-2) /* !! */
{ /* !! */
printf("No, thanks...\n"); /* !! */
exit(1); /* !! */
}
*p1++ =3D c;
while ((c =3D *p2++) !=3D '\0') {
*p1++ =3D (c =3D=3D '\n') ? ' ' : c;
len++;
}
*p1++ =3D '\n';
write(tfd, buf, len);
}
-------------------------------------------------------------------------=
-
Details on the attack were posted in freebsd-security (BSD systems
also can be compromised).
You might also want to consider moving from BSD lpr to LPRng.
[REW: I'm getting flooded with messages claiming that this is new. I
distincly recall that I've seen this quite a while ago. (The timestamp
on the exploit I have is october first.) Anyway, here's a patch, and
for those that didn't know, your lpr might be vulnerable....]
--=20
Thomas.Quinot@Cuivre.FdN.FR <URL:http://Web.FdN.FR/~tquinot/>