[22430] in bugtraq
LPRng/rhs-printfilters - remote execution of commands
daemon@ATHENA.MIT.EDU (zen-parse)
Mon Aug 27 11:41:13 2001
Date: Tue, 28 Aug 2001 01:44:55 +1200 (NZST)
From: zen-parse <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0108280131001.984-100000@clarity.local>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.33.0108280131003.984@clarity.local>
(posted to vendor security ppl, no reply, no patch, so posting here.)
--begin forwarded message--
RedHat 7.0 (possibly others)
If the lpd is listening on 0.0.0.0 and no access controls are in place, it
is possible to execute commands as the lp user, assuming tetex-dvips is
installed.
From man dvips
...
-R Run in secure mode. This means that ``backtick''
commands from a \special{} or \psffile{} macro in
the (La)TeX source like \special{psfile="`zcat
foo.ps.Z"} or \psffile[72 72 540 720]{"`zcat
screendump.ps.gz"} are not executed.
...
Unless the -R option is passed, the attached file will, when converted to
a .dvi file (tex spool.tex), start a worm. A very primitive, proof of
concept worm, with no payload, but it does stall the printer.
(So don't run it without at least modifying it to do something else.)
/usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
...
dvips -f $DVIPS_OPTIONS < $TMP_FILE
...
change it to
...
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
...
and it should be a little safer.
-- zen-parse
--end forwarded message--
I deleted the worm file before posting this to BugTraq. It's 2 lines of
bash, but not really the kind of thing that is helpful to post here.
-rw-r--r-- 1 evil evil 152 Aug 16 16:37 spool.tex
Instead, use this to test your machine.
cat >proof-of-concept.tex <<EOF
\special{psfile="`touch /tmp/lpowned"}
\end
EOF
tex proof-of-concept
lpr proof-of-concept.dvi
-- zen-parse
[ mp3.com/cosv - new music added this month ]
[ ============ ] [ ========================== ]
--
-------------------------------------------------------------------------
The preceding information, unless directly posted by zen-parse@gmx.net to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parse@gmx.net). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.
