[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

(fwd) LPRng/rhs-printfilters - remote execution of commands

To: linux-delhi@xxxxxxxxxxxxxxxxxxxxx, linux-india-help@xxxxxxxxxxxxxxxxxxxxx
Subject: (fwd) LPRng/rhs-printfilters - remote execution of commands
From: Raju Mathur <raju@xxxxxxxxxxxxxxx>
Date: Mon, 27 Aug 2001 21:28:08 +0530 (IST)

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Return-Path: <bugtraq-return-1835-raju=linux-delhi.org@xxxxxxxxxxxxxxxxx>
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Received: (qmail 23233 invoked from network); 27 Aug 2001 15:26:23 -0000
X-X-Sender:  <zen-parse@xxxxxxxxxxxxx>
Message-ID: <Pine.LNX.4.33.0108280131001.984-100000@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.33.0108280131003.984@xxxxxxxxxxxxx>
From: zen-parse <zen-parse@xxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: LPRng/rhs-printfilters - remote execution of commands
Date: Tue, 28 Aug 2001 01:44:55 +1200 (NZST)

(posted to vendor security ppl, no reply, no patch, so posting here.)
--begin forwarded message--

RedHat 7.0 (possibly others)

If the lpd is listening on 0.0.0.0 and no access controls are in place, it
is possible to execute commands as the lp user, assuming tetex-dvips is
installed.

>From man dvips
...
       -R     Run in secure mode. This  means  that  ``backtick''
              commands  from  a \special{} or \psffile{} macro in
              the  (La)TeX  source  like   \special{psfile="`zcat
              foo.ps.Z"}   or   \psffile[72  72  540  720]{"`zcat
              screendump.ps.gz"} are not executed.
...

Unless the -R option is passed, the attached file will, when converted to
a .dvi file (tex spool.tex), start a worm. A very primitive, proof of
concept worm, with no payload, but it does stall the printer.
(So don't run it without at least modifying it to do something else.)

/usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
...
dvips -f $DVIPS_OPTIONS < $TMP_FILE
...

change it to
...
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
...

and it should be a little safer.

-- zen-parse

--end forwarded message--

I deleted the worm file before posting this to BugTraq. It's 2 lines of
bash, but not really the kind of thing that is helpful to post here.

-rw-r--r--    1 evil     evil          152 Aug 16 16:37 spool.tex

Instead, use this to test your machine.

cat >proof-of-concept.tex <<EOF
\special{psfile="`touch /tmp/lpowned"}
\end
EOF
tex proof-of-concept
lpr proof-of-concept.dvi

-- zen-parse

             [ mp3.com/cosv  -  new music added this month ]
             [ ============ ] [ ========================== ]
-- 
-------------------------------------------------------------------------
The preceding information, unless directly posted by zen-parse@xxxxxxx to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parse@xxxxxxx). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.


------------------------------

End of this Digest
******************

-- 
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/

Prev by Subject: (fwd) Fetchmail security advisory
Next by Subject: (fwd) SuSE Security Announcement: xmcd (SuSE-SA:2001:025)
Previous by thread: Re: Samba Config
Next by thread: Linux-Delhi gets Nuked!
Index(es):
- Subject
- Thread