exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

l0pht.00-01-08.lpd

l0pht.00-01-08.lpd
Posted Jan 12, 2000
Authored by Dildog

L0pht Advisory - A remote user can execute arbitrary code on a properly configured Linux LPD server.

tags | remote, arbitrary
systems | linux
SHA-256 | 09a305e3e24195a53ab09f9a992de2f278d9d4743d6570f174bdd602e7df59f1

l0pht.00-01-08.lpd

Change Mirror Download
                       L0pht Security Advisory

Advisory Name: Quadruple Inverted Backflip
Advisory Released: 1/8/00
Application: LPD on RedHat Linux 4.x, 5.x, 6.x
Severity: A remote user can execute arbitrary code on a properly
configured Linux LPD server.
Status: Vendor contacted, fixes available.
Author: dildog@l0pht.com
WWW: http://www.l0pht.com/advisories.html

Overview:

As suggested by the name, this is a relatively complex vulnerability
to exploit, but it can be done. The problem lies in the fact that although
SNI (now NAI) found a whole bunch of problems in BSD LPD two years ago, for
some unknown reason, the majority of these problems still affect Linux LPD.
It's harder to exploit now, but it's still possible. The exploit allows any
user who can print to an LPD server to gain 'bin' user and 'root' group access
to the system remotely.

Description:

The problems being exploited here are four-fold.

1. LPD allows remote machines to print files without having access to LPD,
because LPD compares the reversed-resolved peer name of the accepted
socket's address, with the gethostname() name returned by the machine, and
if they're the same, grants access without question. Hence, if you're the
master of your own DNS, simply make your IP address reverse-resolve to the
same hostname as the LPD server, and you have access to it.

2. LPD allows you to send as many data files to the printer spooler directory
as you want. These files can be binaries, text, or otherwise.

3. LPD allows you to specify anything you want in the 'control file' (often
named cfBLAHBLAHBLAHBLAH in /var/spool/lpd/<printer>/ ), even host names
and other things that don't exist.

4. LPD allows you to specify an argument to /usr/sbin/sendmail and execute it.
this is done by specifying that LPD should send mail back to the print job
owner when the print job is completed ('M' in the cf file). However, the
sendmail argument in the LPD cf file doesn't have to be an email address,
it can be a sendmail option, such as '-C<alternateconfigfilepath>'.

So, we have the unfortunate result that one can send several data files to
print, including a disguised sendmail configuration file, after which a cf
file is sent along, requesting that sendmail be invoked with the configuration
file that is sent over.

Quick solution:

Download the fix from RedHat at:

Red Hat Linux 6.x:

Intel:
ftp://updates.redhat.com/6.1/i386/lpr-0.48-1.i386.rpm

Alpha:
ftp://updates.redhat.com/6.1/alpha/lpr-0.48-1.alpha.rpm

Sparc:
ftp://updates.redhat.com/6.1/sparc/lpr-0.48-1.sparc.rpm

Source packages:
ftp://updates.redhat.com/6.1/SRPMS/lpr-0.48-1.src.rpm


Red Hat Linux 5.x:

Intel:
ftp://updates.redhat.com/5.2/i386/lpr-0.48-0.5.2.i386.rpm

Alpha:
ftp://updates.redhat.com/5.2/alpha/lpr-0.48-0.5.2.alpha.rpm

Sparc:
ftp://updates.redhat.com/5.2/sparc/lpr-0.48-0.5.2.sparc.rpm

Source packages:
ftp://updates.redhat.com/5.2/SRPMS/lpr-0.48-0.5.2.src.rpm


Red Hat Linux 4.x:

Intel:
ftp://updates.redhat.com/4.2/i386/lpr-0.48-0.4.2.i386.rpm

Alpha:
ftp://updates.redhat.com/4.2/alpha/lpr-0.48-0.4.2.alpha.rpm

Sparc:
ftp://updates.redhat.com/4.2/sparc/lpr-0.48-0.4.2.sparc.rpm

Source packages:
ftp://updates.redhat.com/4.2/SRPMS/lpr-0.48-0.4.2.src.rpm


Or, disable LPD cuz something tells me there's a bunch of other
problems in there too. Someone needs to audit that thing. There ain't no quick
fix for this one.



Exploit:

http://www3.l0pht.com/~dildog/qib.tgz
Read the README that's in there.

That's all folks.

dildog@l0pht.com

[ For more advisories check out http://www.l0pht.com/advisories.html ]


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close