Redhat Linux 4.2 printfilter problems
Description: | Redhat 4.2 uses the "printfilter" software package called by lpd to determine the type of a file, unfortunately this program calls others which were not made to handle malicious data (such as groff). |
Author: | "KSR[T]" <ksrt@dec.net> |
Compromise: | root (local) |
Vulnerable Systems: | Redhat Linux 4.2 (maybe earlier) |
Date: | 6 October 1997 |
Date: Sat, 25 Oct 1997 08:22:39 -0700
From: "KSR[T]" <ksrt@dec.net>
To: best-of-security@cyber.com.au
Subject: BoS: KSR[T] Advisory #004: printfilter / groff / lpd
-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----
KSR[T] Advisory #004
Date: Oct 6, 1997
ID #: lin-lpdg-004
Operating System(s): Redhat Linux 4.2
Affected Program: lpd / printfilter / groff
Problem Description: The printfilter software package that comes with
Redhat Linux is called by lpd to determine the type
of file that is being printed, and then to apply
the appropriate 'filter' so that the file will be
printed properly.
The 'filters' are usually shell scripts that call
a helper application. The first problem is that
some of these filters use /tmp as scratch space,
which opens up a symlink attack for file creation
and file overwriting. ( lpd is running as user bin,
group root )
The second problem is that a lot of the helper
applications were not built with security in mind.
One example of this is groff.
There are several troff/groff 'requests' that allow
commands to be executed. The result is that anyone
with a simple understanding of troff can send
a troff document to a remote server, causing the
remote server to execute arbitrary commands as
user bin, group root.
It is important to note that other operating systems
may use a print filter that will use applications
like troff. They are just as susceptible to attack as
the operating systems listed above.
Compromise: local users can overwrite files writable by user bin
and/or group root.
local and remote users can execute commands as user
bin, group root. From this point, a clever attacker
can obtain root.
Patch/Fix:
Erik Troan <ewt@redhat.com> has put updated RPMS online at:
ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm
ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: