COMMAND

    lpd

SYSTEMS AFFECTED

    FreeBSD  2.1.5,  2.1.6,  2.1.7,  2.2  Gamma,  FreeBSD  -current is
    vulnerable for dates prior to February 25, 1997

PROBLEM

    The following information is Secure Networks Inc. (SNI)  copyright
    and it is a part of their security advisory (March 5, 1997).

    There  is  a  serious  security  vulnerability  in all FreeBSD lpd
    implementations  This  vulnerability  allows  remote users to gain
    unauthorized root  access to  any system  allowing connections  to
    the line printer daemon (lpd).

    A user is not required to be in lpd's access list (/etc/hosts.lpd)
    to exploit this vulnerability, as the problem occurs while lpd  is
    attempting to determine whether the host is permitted to connect.

    The   vulnerability    is    present   in    the    source    file
    lib/libc/net/rcmd.c, which  contains the  function __ivaliduser().
    This  function  is  used  by  the  line  printer  daemon  (lpd) to
    determine whether  the user  connecting to  the daemon  is in it's
    access  list  (contained  in  /etc/hosts.lpd).   When performing a
    domain name  lookup on  the connecting  IP address,  the resulting
    response is copied into a fixed size buffer of size MAXHOSTNAMELEN
    (256 bytes).  Since DNS responses containing a hostname and domain
	name  are  currently  allowed  to  exceed  256 bytes, overflow can
    occur.  The faulty code follows:

        if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
           return (-1);
        strcpy(hname, hp->h_name);

    The string copy  is done without  any bounds checking.   Corrected
    code looks as follows:

        if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
           return (-1);
        strncpy(hname, hp->h_name, sizeof(hname));
        hname[sizeof(hname)-1] = '\0';

SOLUTION

    FreeBSD 2.2 is not vulnerable  and  it was corrected  in -current,
    and -stable as of February 25, 1997.

    If the  system in  question does  not require  the use of printing
    services, lpd should be removed  or commented out from the  system
    startup file /etc/rc.

    If you require  the use of  printing services, this  vulnerability
    can   be   fixed    by   applying   the    following   patch    to
    lib/libc/net/rcmd.c.  This  patch has been  known to apply  to all
    FreeBSD 2.x systems.

    --- CUT HERE ---
    *** libc/lib/net/rcmd.c.old     Tue Feb 25 15:33:42 1997
    --- libc/lib/net/rcmd.c Tue Feb 25 15:33:56 1997
    ***************
    *** 377,383 ****
	        if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
	                                                        AF_INET)) == NULL)
	                return (-1);
	!       strcpy(hname, hp->h_name);

	        while (fgets(buf, sizeof(buf), hostf)) {
	                p = buf;
	--- 377,384 ----
	        if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
	                                                        AF_INET)) == NULL)
	                return (-1);
	!       strncpy(hname, hp->h_name, sizeof(hname));
	!       hname[sizeof(hname)-1] = '\0';

	        while (fgets(buf, sizeof(buf), hostf)) {
	                p = buf;
	--- CUT HERE ---

    At this point, libc  will have to be  recompiled.  lpd is  shipped
    dynamically  linked  under  FreeBSD,  therefore  the fix will take
    effect without recompiling lpd itself.