Hi. While setting up the HylaFAX package of S.u.S.E. Linux 5.1 I found some nice security holes in the fax-filter. 1. the spool-file (fax_$USER.ps) is created w/ mode 666 and has U/GID 'lp' - this bug allows modification of the spool-file... which doesn't seem very dangerous but think about a fax which contains the company's logo, the name of a top-manager and some malicious information solution: set umask in filter-script 2. another scary fact is, that the filter- script doesn't check for an already existing "spool"-file or link now, an attacker is able to overwrite files w/ the perm. of 'lp' and to modify the file (mode: 666) the attacker is also able to exploit possible holes in 'lpd' by creating malicious spool-files and s/he could execute commands w/ the UID of 'lp' by creating and rewriting filter-scripts, that are in /etc/printcap but aren't created if the attacker could access the faxspool direc. und user 'lp' owns the filter-script, s/he has the ability to overwrite the script, which leads to an DoS attack (hm, what would happen if the attacker links the spool-file to /dev/null or /dev/zero?) solution: use the builtin-shell-command 'test' or better recodeing of the filter- script in C/++ or Perl using open(O_EXCL|O_CREAT) and using another spool-direc, otherwise an local (maybe remote) DoS attack still exists 3. if the attacker is able to remotely set a username of his/her own choice, i.e. `echo "+ +" > ~lp/.rhosts, by faking the network-protocol of the HylaFAX system s/he could gain remote access to the HylaFAX server... ... it's a bad idea to set a shell in /etc/passwd for the user 'lp' I notified the auditing-team of suse.de about that bugs... I hope they will release a patch as soon as possible. Greets, Thomas Biege
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:24 PDT