[1133] in bugtraq
Re: lpr/lpd problems
daemon@ATHENA.MIT.EDU (Nathan Lawson)
Tue Feb 28 15:33:39 1995
From: nlawson@statler.csc.calpoly.edu (Nathan Lawson)
To: irj@btc.uwe.ac.uk
Date: Tue, 28 Feb 1995 10:48:16 -0800 (PST)
Cc: bugtraq@fc.net
In-Reply-To: <9502281229.AA08383@btc.uwe.ac.uk> from "irj@btc.uwe.ac.uk" at Feb 28, 95 12:29:03 pm
>> I have heard rumors of security problems associated with the BSD-style
>> lpr/lpd printing system. Does anyone know anything about this?
>
> Sun systems (4.1.3_U1) patch # 101434-03 lpr Jumbo patch fixes:
> lpr checks real rather than effective user
> lpr -s -t can be used to remove any file in /
And of course, there's the famous old one that used creat() instead of
open(..,O_EXCL|O_CREAT). The exploit can be found in the 8lgm advisory for
lpr.
--
Nathan Lawson | "One of the advantages of using UNIX to teach an operating
CSL 490 Admin | systems course is the sources and documentation will easily
756-7180 @Work | fit into a students briefcase." -- John Lions (1976)
