Hi, I've found a local->root compromise in the lprm program, as shipped RedHat4.2 and RedHat5.0. Other systems untested. There is a prerequisite to exploiting this, that a remote printer be defined (rm field). If trying to remove entries from a remote queue, the args given are basically strcat()'ed into a static buffer. Thus: lprm -Psome_remote `perl -e 'print "a" x 2000'` Segmentation fault gdb confirms the program is attempting to execute code at 0x41414141 Other potential problems include assumptions about host name max lengths, dubious /etc/printcap parsing (but it seems user defined printcap files are not allowed). There is also a blatant strcpy(buf, getenv("something")) but luckily it is #ifdef'ed out. File/filename handling looks iffy at times too. It is scary that this was found in a mere 5 mins of auditing. I sincerely beleieve the BSD line printer system has no place on a secure system. When I get more time I might well look for other problems; I would not be surprised to find some. The lpr package is in need of an audit. If the great folks at OpenBSD have already done this, maybe others should nab their source code :-) Cheers Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:37 PDT