[5339] in bugtraq
Re: Possible weakness in LPD protocol
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Fri Oct 3 13:33:58 1997
Date: Fri, 3 Oct 1997 02:43:16 +0200
Reply-To: Thomas Roessler <roessler@GUUG.DE>
From: Thomas Roessler <roessler@GUUG.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <34340AEE.5395@redrose.net>
On October 02 1997, Bennett Samowich wrote:
> 1.) Obtaining hard (or possibly soft) copies of any file on the syste=
m.
> 2.) Deleting any file on the system.
> 3.) Creating a file on the system.
> 4.) Mail bombing.
5.) Overflow at least one buffer from the network; this is just
above the "print any file" part of recvjob.c:
cp =3D line;
do {
if ((size =3D read(1, cp, 1)) !=3D 1) {
if (size < 0)
frecverr("%s: Lost connection",=
printer);
return(nfiles);
}
} while (*cp++ !=3D '\n');
Consequences aren't really obvious, but you may be able to do
nasty things.
Will we ever get rid of gets()? (lpd source tree is from some
recent RedHat distribution.)
tlr
--
Thomas Roessler =B7 74a353cc0b19 =B7 dg1ktr =B7 http://home.pages.de/~r=
oessler/
1280/593238E1 =B7 AE 24 38 88 1B 45 E4 C6 03 F5 15 6E 9C CA FD DB
