COMMAND
lpd
SYSTEMS AFFECTED
BSD/OS 2.1 and 3.0 (BSDI), FreeBSD, Linux, OpenBSD 2.1
PROBLEM
Bennett Samowich pointed out possible weakness in LPD protocol.
He noticed some weaknesses in the implementation of the LPR
protocol. Mostly it appears to affect BSD based UNIX's. He found
it using the source for BSD4.4, and tested it on "Linux Slackware
2.2.0". He has also tested it on AIX 4.1.5 and it seems to be
OK. This advisory is mixed with SNI-19 report too.
Explaining this assumes that you are familiar with [RFC-1179 Line
Printer Daemon Protocol]. If you are not familiar or have not
read it, it may be obtained via FTP from
ftp://nic.ddn.mil/rfc/rfc1179.txt
The possibilities are as follows:
1.) Obtaining hard (or possibly soft) copies of any file on
the system.
2.) Deleting any file on the system.
3.) Creating a file on the system.
4.) Mail bombing.
5.) Remote execution (SNI-19)
There are a few requirements that need to be met in order to
perform these actions.
1.) Must be 'root' on the source machine.
NOTE: Under Windows95 the user already has 'root' status. This
means that anyone on a Win95 box can bind network sockets
to the reserved ports.
2.) Must have or obtain permission to print to the target machine.
Usually machines on the same network will have permission
to print to each other, but that may not always be the case.
3.) Must have or obtain access to the target printer. Otherwise
how will you get your printout?
When lpd sends a file to a remote machine it creates a control
file used to instruct the remote machine on how to process the
incoming print job. These commands are outlined in [RFC-1179].
It is the implementation of the control commands that provide the
weakness.
1.) Obtaining hard (or possibly soft) copies of any file on the
system. The control command 'f' causes a file to be printed
as text.
The syntax is: f filename [LF]
Therefore, by inserting the line: "f/etc/shadow" into the
control file you will cause the Shadow password file to be
printed. (Hard copy)
If the print queue points to a network printer then it would
be possible to capture the packets. (Soft copy)
2.) Delete any file on the system.
The control command 'U' instructs the remote machine to
"unlink" the file upon completion of the job.
The syntax is: U filename [LF]
Therefore, by inserting the line: "U/vmlinuz" into the control
file you will cause the Linux kernel to be removed from the
file system.
3.) Create a file on the remote system.
This is a little trickier, in that BSD4.4 takes the filename
that you specify and appends its view of the calling machine's
hostname to it. However, BSD4.4 starts at the sixth
character.
The syntax is 2 size [SP] filename [LF]. Where '2' is the
octet 2 not the character, size is the size of the file in
bytes, filename is ... (DUH).
- From RECVJOB.C
case '\2': /* read cf file */
size = 0;
while (*cp >= '0' && *cp <= '9')
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
break;
/*
* host name has been authenticated, we use our
* view of the host name since we may be passed
* something different than what gethostbyaddr()
* returns
*/
HERE -----------> strcpy(cp + 6, from);
strcpy(tfname, cp);
tfname[0] = 't';
if (!chksize(size)) {
(void) write(1, "\2", 1);
continue;
}
if (!readfile(tfname, size)) {
rcleanup(0);
continue;
}
if (link(tfname, cp) < 0)
frecverr("%s: %m", tfname);
(void) unlink(tfname);
tfname[0] = '\0';
nfiles++;
continue;
The result is this:
/rc becomes /rc
/etc/passwd becomes /etc/passwd.www.yourhost.com
This is accomplished by using the printer command of '2'
(receive control file)
Therefore by sending the printer command '2/rc' and then
sending our file, we have created a file in the root
directory called 'rc'. By sending '2/home/yourfriend/somefile'
and the your file you will have sent somefile to yourfriend
... and even put it in their home directory. Of course it
will have the name somefile.www.yourhost.com, but he got it
none the less.
4.) Mail bombing.
The control command 'M' instructs lpd to mail the user when
the job is finished.
The syntax is: M username [LF]
Therefore by adding the line: "Mjoeuser@www.somewhere.com" you
will cause joeuser to receive mail notification about the
print job. By adding several thousand of these lines, well
you get the idea.
5.) Remote execution (SNI-19)
Individuals with access to the line printer daemon from a
privileged port on a valid print client can execute commands
remotely as the user which lpd is running as. This
vulnerability can allow interactive shell access to the remote
system.
A privileged port on a valid client system is required to
exploit all of these vulnerabilities. A privileged port can
be obtained on many operating systems by utilizing another
vulnerability present in the file transfer protocol daemon
(ftpd). This vulnerability is commonly known as the "FTP
bounce" attack, and allows data to be sent to any internet
address and port, originating from the FTP data port (20). For
additional information about FTP bounce attacks, please see:
ftp://ftp.sterling.com/mirrors/avian.org/random/ftp-attack
SOLUTION
Install a fixed version of the BSD print software. A fixed
version of the BSD print software is availible at the following
ftp site:
ftp://ftp.secnet.com/pub/patches/lpd.tar.gz
There was problem wit original fix so an updated version of the
recommended fixes has been placed in the same location as the
original fixes.
This package fixes numerous other problems present in the BSD
printing suite, including numerous buffer overflows present in
both the client programs and the server. This package has been
provided by OpenBSD.
LPRng is not vulnerable to any of the problems discussed here.
LPRng is an alternative print spooler written by Patrick Powell.
The FreeBSD and BSD/OS print system is not configured by default,
therefore all vulnerabilities apply ONLY if the system has been
configured as a print server. In 2.1.7 and 2.2.2, the ftpd
shipped does NOT permit the ftp bounce attack. Also, the lpd
shipped does not permit connections from the FTP daemon. Current
versions of FreeBSD are vulnerable only if the attacker has
super-user access on a valid print client.
If your Linux has wu-ftpd-2.4.2-academ[BETA-13] then you are NOT
vulnerable to FTP bounce attacks. If you do not see
'academ[BETA-13]' then you can be in troubles.
The OpenBSD print system is not enabled by default and lpd does
not permit connections from the FTP daemon. OpenBSD ftpd is not
vulnerable to ftp bounce attacks. OpenBSD is vulnerable only if
the attacker has super-user access to a valid print client.
OpenBSD-current has all of the above problems fixed.
You may as solution install a FTP daemon which prevents ftp
bounce. This FTP daemon should be installed on all print clients
to prevent non-root users from obtaining a privileged port to
connect to the print daemon with. You can obtain a copy of this
ftpd at:
ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-15.tar.Z
Installing this alternate FTP daemon will limit the above attacks,
however will still allow an attacker who has super-user access on
a valid print client to exploit these problems.