> From owner-bugtraqat_private Fri Jul 2 09:09:25 1999 > Date: Fri, 2 Jul 1999 11:38:13 +1000 > From: Chris Leishman <masklinat_private> > Subject: Security problem with LPRng > To: BUGTRAQat_private > > --ZGiS0Q5IWpPtfppv > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: quoted-printable > > Hi all, > > During some recent work I've been doing with LPRng, I found that is is > possible (on a default LPRng installation) to control the print queues on > the LPRng server. > > Most default installations allow the root user at the localhost to send > control commands to the LPRng lpd server. The authentication used is to > make sure that the packets are sent from a low (priviledged) source port > (RFC1179 specifies ports 721-731, although the LPRng howto specifies that > this has been extended to 512-1023). This is why the lpc utility is usually > installed SUID root. > > However, it appears that LPRng's lpd server fails to check the source port > correctly, so using a modified client that uses ports outside the allowed= > =20 > range the server will accept the command. > > An exploit that uses this technique to stop or start a print queue is appen= > ded=20 > to this advisory. It was written and tested on Debian GNU/Linux. It is us= > ed=20 > in the following way: > > host:~$ /usr/sbin/lpc status > Printer Printing Spooling Jobs Server Slave Redirect Status/D= > ebug > lp@host enabled enabled 0 none none > host:~$ gcc lpcontrol.c=20 > host:~$ ./a.out > Usage: ./a.out printer [stop|start] > host:~$ ./a.out lp stop > host:~$ /usr/sbin/lpc status > Printer Printing Spooling Jobs Server Slave Redirect Status/D= > ebug > lp@host disabled enabled 0 none none > host:~$ > > > The author (papowellat_private) has been notified, but the problem has not > been fully acknowledged. Aside from a lot of random (and generally useless= > )=20 > commentry regarding the insecurity of LPRng, NFS, SUID root programs, etc, = > the=20 > only usefull suggestion was to add > > REJECT=3DX NOT PORT=3D1-1023 > > to the lpd.perms control file. > > One thing that he did mention is quoted below: > > > You don't consider SETUID ROOT programs such as a particular > > implementation of lpq that has a stack overflow problem when > > you return long status to be a problem... > > I haven't looked for stack overflows in detail yet, but this is a little > conserning since the default is to install lpq, lpc, etc SUID root. While > I hope to have a good look into it, the code is extremely difficult to foll= > ow. > > > Have a nice day all, > > Chris Leishman > > As I have noted to Mr. Leishman, you can configure the security options in LPRng to check the originating port: # check originating ports on connections REJECT SERVICE=X NOT PORT=721-731 I will throw the above line into the default /etc/lpd.conf shipped with LPRng on the next release, but I repeat: THIS IS NOT REPEAT NOT A FIX FOR A LPRng SECURITY PROBLEM. THE PROBLEM IS THAT THE RFC1179 PROTOCOL IS INHERENTLY UNRELIABLE FOR AUTHENTICATION. I consider running LPRng and any other print server SUID root a major security issue, have stated this, have written warnings about this, and so forth, but due to the large number of inexperienced system administrators and other users who have problems dealing with connection issues to other systems, have been forced by the large volume of 'reported problems connecting to other systems' to make the default install SUID root. I will note that using port origination as an authentication mechanism has been shown to be highly susceptible to various attacks, and while I have provided a mechanism to check for and enforce connection origination and checking, I place absolutely no reliance on this, and warn that there are many known methods to impersonate and forge connections from systems that will compromise this security mechanism. If you are need to provide an authentication mechanism, LPRng has the ability to use PGP, Kerberos, or a user develped mechanism for authentication. Patrick Powell Patrick Powell Astart Technologies, papowellat_private 9475 Chesapeake Drive, Suite D, Network and System San Diego, CA 92123 Consulting 619-874-6543 FAX 619-279-8424 LPRng - Print Spooler (http://www.astart.com)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:41 PDT