COMMAND

    rlpdaemon

SYSTEMS AFFECTED

    HpUX 9.x, 10.x

PROBLEM

    Following is based  on Repent Security  Advisory and was  found by
    Bathead Brian. The argument in the Unlink Data File section of the
    control file  gets passed  to /bin/rm  by a  system() call.   This
    argument should normally be a filename, however, a semi-colon  and
    an  arbitrary  command  can  be  appended  allowing you to execute
    commands  as  user  lp.   When  the  client  passes  a file to the
    rlpdaemon, no sanity checks  are performed to ensure  the validity
    of the filename.   This allows for a  remote attacker to send  any
    file  s/he  wants  and  have  it  stored  in  the  user  lp's home
    directory.

    The rlpdaemon will allow remote connections from any source  port.
    This  violates  the  lpd  behavior  recommended  in RFC-1179 which
    explicitly  states  that  only  source  ports of 721-731 should be
    allowed to access the daemon.

SOLUTION

    Disable the rlpdaemon and use networked printers:

        1. su to the ROOT account
        2. kill -9 `ps -fu root | grep -i rlpdaemon | awk '{print $2}'`
        3. edit /etc/inetd.conf with your favorite editor
        4. place a # infront of the line reading as follows:
           printer stream tcp nowait root /usr/sbin/rlpdaemon rlpdaemon -i
        5. kill -HUP `ps -fu root | grep -i inetd | awk '{print $2}'`