Redhat Linux 4.2 printfilter problems

Summary
Description:Redhat 4.2 uses the "printfilter" software package called by lpd to determine the type of a file, unfortunately this program calls others which were not made to handle malicious data (such as groff).
Author:"KSR[T]" <ksrt@dec.net>
Compromise: root (local)
Vulnerable Systems:Redhat Linux 4.2 (maybe earlier)
Date:6 October 1997
Details


Date: Sat, 25 Oct 1997 08:22:39 -0700
From: "KSR[T]" <ksrt@dec.net>
To: best-of-security@cyber.com.au
Subject: BoS:      KSR[T] Advisory #004: printfilter / groff / lpd


-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

                                                          KSR[T] Advisory #004
                                                          Date:   Oct  6, 1997
                                                          ID #:   lin-lpdg-004

Operating System(s): Redhat Linux 4.2

Affected Program:    lpd / printfilter / groff

Problem Description: The printfilter software package that comes with
                     Redhat Linux is called by lpd to determine the type
                     of file that is being printed, and then to apply
                     the appropriate 'filter' so that the file will be
                     printed properly.

                     The 'filters' are usually shell scripts that call
                     a helper application.  The first problem is that
                     some of these filters use /tmp as scratch space,
                     which opens up a symlink attack for file creation
                     and file overwriting.  ( lpd is running as user bin,
                     group root )

                     The second problem is that a lot of the helper
                     applications were not built with security in mind.
                     One example of this is groff.

                     There are several troff/groff 'requests' that allow
                     commands to be executed.  The result is that anyone
                     with a simple understanding of troff can send
                     a troff document to a remote server, causing the
                     remote server to execute arbitrary commands as
                     user bin, group root.

                     It is important to note that other operating systems
                     may use a print filter that will use applications
                     like troff.  They are just as susceptible to attack as
                     the operating systems listed above.

Compromise:          local users can overwrite files writable by user bin
                     and/or group root.

                     local and remote users can execute commands as user
                     bin, group root.  From this point, a clever attacker
                     can obtain root.
Patch/Fix:

Erik Troan <ewt@redhat.com> has put updated RPMS online at:

ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm
ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: