[6539] in bugtraq
Nasty security hole in "lprm"
daemon@ATHENA.MIT.EDU (Chris Evans)
Mon Apr 20 03:25:55 1998
Date: Sat, 18 Apr 1998 15:42:11 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Hi,
I've found a local->root compromise in the lprm program, as shipped
RedHat4.2 and RedHat5.0. Other systems untested.
There is a prerequisite to exploiting this, that a remote printer be
defined (rm field).
If trying to remove entries from a remote queue, the args given are
basically strcat()'ed into a static buffer.
Thus:
lprm -Psome_remote `perl -e 'print "a" x 2000'`
Segmentation fault
gdb confirms the program is attempting to execute code at 0x41414141
Other potential problems include assumptions about host name max lengths,
dubious /etc/printcap parsing (but it seems user defined printcap files
are not allowed). There is also a blatant strcpy(buf, getenv("something"))
but luckily it is #ifdef'ed out. File/filename handling looks iffy at
times too.
It is scary that this was found in a mere 5 mins of auditing. I sincerely
beleieve the BSD line printer system has no place on a secure system. When
I get more time I might well look for other problems; I would not be
surprised to find some. The lpr package is in need of an audit. If the
great folks at OpenBSD have already done this, maybe others should nab
their source code :-)
Cheers
Chris
