From ksrt@dec.net Mon Oct 27 13:47:52 1997
Date: Sat, 25 Oct 1997 08:22:39 -0700
From: "KSR[T]" <ksrt@dec.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: KSR[T] Advisory #004: printfilter / groff / lpd

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

                                                          KSR[T] Advisory #004
                                                          Date:   Oct  6, 1997
                                                          ID #:   lin-lpdg-004

Operating System(s): Redhat Linux 4.2

Affected Program:    lpd / printfilter / groff

Problem Description: The printfilter software package that comes with
                     Redhat Linux is called by lpd to determine the type
                     of file that is being printed, and then to apply
                     the appropriate 'filter' so that the file will be
                     printed properly.

                     The 'filters' are usually shell scripts that call
                     a helper application.  The first problem is that
                     some of these filters use /tmp as scratch space,
                     which opens up a symlink attack for file creation
                     and file overwriting.  ( lpd is running as user bin,
                     group root )

                     The second problem is that a lot of the helper
                     applications were not built with security in mind.
                     One example of this is groff.

                     There are several troff/groff 'requests' that allow
                     commands to be executed.  The result is that anyone
                     with a simple understanding of troff can send
                     a troff document to a remote server, causing the
                     remote server to execute arbitrary commands as
                     user bin, group root.

                     It is important to note that other operating systems
                     may use a print filter that will use applications
                     like troff.  They are just as susceptible to attack as
                     the operating systems listed above.

Compromise:          local users can overwrite files writable by user bin
                     and/or group root.

                     local and remote users can execute commands as user
                     bin, group root.  From this point, a clever attacker
                     can obtain root.
Patch/Fix:

Erik Troan <ewt@redhat.com> has put updated RPMS online at:

ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm
ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm