[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

(fwd) LPRng/rhs-printfilters - remote execution of commands

This is an RFC 1153 digest.
(1 message)

Return-Path: <bugtraq-return-1835-raju=linux-delhi.org@xxxxxxxxxxxxxxxxx>
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Received: (qmail 23233 invoked from network); 27 Aug 2001 15:26:23 -0000
X-X-Sender:  <zen-parse@xxxxxxxxxxxxx>
Message-ID: <Pine.LNX.4.33.0108280131001.984-100000@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-ID: <Pine.LNX.4.33.0108280131003.984@xxxxxxxxxxxxx>
From: zen-parse <zen-parse@xxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: LPRng/rhs-printfilters - remote execution of commands
Date: Tue, 28 Aug 2001 01:44:55 +1200 (NZST)

(posted to vendor security ppl, no reply, no patch, so posting here.)
--begin forwarded message--

RedHat 7.0 (possibly others)

If the lpd is listening on and no access controls are in place, it
is possible to execute commands as the lp user, assuming tetex-dvips is

>From man dvips
       -R     Run in secure mode. This  means  that  ``backtick''
              commands  from  a \special{} or \psffile{} macro in
              the  (La)TeX  source  like   \special{psfile="`zcat
              foo.ps.Z"}   or   \psffile[72  72  540  720]{"`zcat
              screendump.ps.gz"} are not executed.

Unless the -R option is passed, the attached file will, when converted to
a .dvi file (tex spool.tex), start a worm. A very primitive, proof of
concept worm, with no payload, but it does stall the printer.
(So don't run it without at least modifying it to do something else.)


change it to

and it should be a little safer.

-- zen-parse

--end forwarded message--

I deleted the worm file before posting this to BugTraq. It's 2 lines of
bash, but not really the kind of thing that is helpful to post here.

-rw-r--r--    1 evil     evil          152 Aug 16 16:37 spool.tex

Instead, use this to test your machine.

cat >proof-of-concept.tex <<EOF
\special{psfile="`touch /tmp/lpowned"}
tex proof-of-concept
lpr proof-of-concept.dvi

-- zen-parse

             [ mp3.com/cosv  -  new music added this month ]
             [ ============ ] [ ========================== ]
The preceding information, unless directly posted by zen-parse@xxxxxxx to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parse@xxxxxxx). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.


End of this Digest

Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/