[LWN Logo]

Date:	Mon, 5 Jul 1999 09:09:29 -0700
From:	papowell@ASTART.COM
Subject:      Re: Security problem with LPRng
To:	BUGTRAQ@NETSPACE.ORG

> From owner-bugtraq@netspace.org Fri Jul  2 09:09:25 1999
> Date: 	Fri, 2 Jul 1999 11:38:13 +1000
> From: Chris Leishman <masklin@DEBIAN.ORG>
> Subject:      Security problem with LPRng
> To: BUGTRAQ@netspace.org
>
> --ZGiS0Q5IWpPtfppv
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: quoted-printable
>
> Hi all,
>
> During some recent work I've been doing with LPRng, I found that is is
> possible (on a default LPRng installation) to control the print queues on
> the LPRng server.
>
> Most default installations allow the root user at the localhost to send
> control commands to the LPRng lpd server.  The authentication used is to
> make sure that the packets are sent from a low (priviledged) source port
> (RFC1179 specifies ports 721-731, although the LPRng howto specifies that
> this has been extended to 512-1023).  This is why the lpc utility is usually
> installed SUID root.
>
> However, it appears that LPRng's lpd server fails to check the source port
> correctly, so using a modified client that uses ports outside the allowed=
> =20
> range the server will accept the command.
>
> An exploit that uses this technique to stop or start a print queue is appen=
> ded=20
> to this advisory.  It was written and tested on Debian GNU/Linux.  It is us=
> ed=20
> in the following way:
>
> host:~$ /usr/sbin/lpc status
>  Printer           Printing Spooling Jobs  Server   Slave Redirect Status/D=
> ebug
> lp@host             enabled  enabled    0    none    none
> host:~$ gcc lpcontrol.c=20
> host:~$ ./a.out
> Usage: ./a.out printer [stop|start]
> host:~$ ./a.out lp stop
> host:~$ /usr/sbin/lpc status
>  Printer           Printing Spooling Jobs  Server   Slave Redirect Status/D=
> ebug
> lp@host            disabled  enabled    0    none    none
> host:~$
>
>
> The author (papowell@astart.com) has been notified, but the problem has not
> been fully acknowledged.  Aside from a lot of random (and generally useless=
> )=20
> commentry regarding the insecurity of LPRng, NFS, SUID root programs, etc, =
> the=20
> only usefull suggestion was to add
>
> REJECT=3DX NOT PORT=3D1-1023
>
> to the lpd.perms control file.
>
> One thing that he did mention is quoted below:
>
> >	You don't consider SETUID ROOT programs such as a particular
> >	implementation of lpq that has a stack overflow problem when
> >	you return long status to be a problem...
>
> I haven't looked for stack overflows in detail yet, but this is a little
> conserning since the default is to install lpq, lpc, etc SUID root.  While
> I hope to have a good look into it, the code is extremely difficult to foll=
> ow.
>
>
> Have a nice day all,
>
> Chris Leishman
>
>

As I have noted to Mr. Leishman,  you can configure the security
options in LPRng to check the originating port:

# check originating ports on connections
REJECT SERVICE=X NOT PORT=721-731

I will throw the above line into the default /etc/lpd.conf shipped
with LPRng on the next release,  but I repeat:

   THIS IS NOT REPEAT NOT A FIX FOR A LPRng SECURITY PROBLEM.
   THE PROBLEM IS THAT THE RFC1179 PROTOCOL IS INHERENTLY
   UNRELIABLE FOR AUTHENTICATION.

I consider running LPRng and any other print server SUID root a
major security issue, have stated this,  have written warnings
about this, and so forth,  but due to the large number of inexperienced
system administrators and other users who have problems dealing
with connection issues to other systems,  have been forced by the
large volume of 'reported problems connecting to other systems' to
make the default install SUID root.

I will note that using port origination as an authentication
mechanism has been shown to be highly susceptible to various attacks,
and while I have provided a mechanism to check for and enforce
connection origination and checking,  I place absolutely no reliance
on this,  and warn that there are many known methods to impersonate
and forge connections from systems that will compromise this security
mechanism.

If you are need to provide an authentication mechanism,  LPRng has
the ability to use PGP, Kerberos,  or a user develped mechanism for
authentication.

Patrick Powell


Patrick Powell                 Astart Technologies,
papowell@astart.com            9475 Chesapeake Drive, Suite D,
Network and System             San Diego, CA 92123
  Consulting                   619-874-6543 FAX 619-279-8424
LPRng - Print Spooler (http://www.astart.com)