######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                               March 5, 1997

                     FreeBSD lpd Security Vulnerability


There is a serious security vulnerability in all FreeBSD lpd implementations
This vulnerability allows remote users to gain unauthorized root access to any
system allowing connections to the line printer daemon (lpd).

A user is not required to be in lpd's access list (/etc/hosts.lpd) to exploit
this vulnerability, as the problem occurs while lpd is attempting to determine
whether the host is permitted to connect.


Problem Description
~~~~~~~~~~~~~~~~~~~

The vulnerability is present in the source file lib/libc/net/rcmd.c, which
contains the function __ivaliduser().  This function is used by the line
printer daemon (lpd) to determine whether the user connecting to the daemon
is in it's access list (contained in /etc/hosts.lpd).  When performing a
domain name lookup on the connecting IP address, the resulting response is
copied into a fixed size buffer of size MAXHOSTNAMELEN (256 bytes).  Since
DNS responses containing a hostname and domain name are currently allowed to
exceed 256 bytes, overflow can occur.  The faulty code follows:


if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
   return (-1);
strcpy(hname, hp->h_name);

The string copy is done without any bounds checking.  Corrected code looks as
follows:

if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
   return (-1);
strncpy(hname, hp->h_name, sizeof(hname));
hname[sizeof(hname)-1] = '\0';


Vulnerable Systems
~~~~~~~~~~~~~~~~~~

This security vulnerability only applies to the FreeBSD operating system.

FreeBSD 2.1.5 is vulnerable
FreeBSD 2.1.6 is vulnerable
FreeBSD 2.1.7 is vulnerable
FreeBSD 2.2 Gamma is vulnerable

FreeBSD 2.2 is not vulnerable

FreeBSD -current is vulnerable for dates prior to February 25, 1997

Corrected in -current, and -stable as of February 25, 1997.

Workaround
~~~~~~~~~~

If the system in question does not require the use of printing services, lpd
should be removed or commented out from the system startup file /etc/rc.

If you require the use of printing services, this vulnerability can be fixed
by applying the following patch to lib/libc/net/rcmd.c.  This patch has been
known to apply to all FreeBSD 2.x systems.

--- CUT HERE ---

*** libc/lib/net/rcmd.c.old     Tue Feb 25 15:33:42 1997
--- libc/lib/net/rcmd.c Tue Feb 25 15:33:56 1997
***************
*** 377,383 ****
        if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
                                                        AF_INET)) == NULL)
                return (-1);
!       strcpy(hname, hp->h_name);

        while (fgets(buf, sizeof(buf), hostf)) {
                p = buf;
--- 377,384 ----
        if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
                                                        AF_INET)) == NULL)
                return (-1);
!       strncpy(hname, hp->h_name, sizeof(hname));
!       hname[sizeof(hname)-1] = '\0';

        while (fgets(buf, sizeof(buf), hostf)) {
                p = buf;

--- CUT HERE ---

At this point, libc will have to be recompiled.  lpd is shipped dynamically
linked under FreeBSD, therefore the fix will take effect without recompiling
lpd itself.


Attributions
~~~~~~~~~~~~

Information about FreeBSD can be found at http://www.freebsd.org

You can contact the author of this advisory at oliver@secnet.com

Type Bits/KeyID    Date       User ID
pub  1024/0E7BBA7D 1996/09/18 Oliver Friedrichs <oliver@secnet.com>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----


Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

 You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
 and advisories at ftp://ftp.secnet.com/advisories

 You can browse our web site at http://www.secnet.com

 You can subscribe to our security advisory mailing list by sending mail to
 majordomo@secnet.com with the line "subscribe sni-advisories"