COMMAND

    lpd / printfilter / groff

SYSTEMS AFFECTED

    Red Hat 4.2

PROBLEM

    KRS[T] on their advisory #4  found few problems.  The  printfilter
    software package that comes with Redhat Linux is called by lpd  to
    determine the  type of  file that  is being  printed, and  then to
    apply the appropriate  'filter' so that  the file will  be printed
    properly.

    The  'filters'  are  usually  shell  scripts  that  call  a helper
    application.  The first problem is that some of these filters  use
    /tmp as scratch  space, which opens  up a symlink  attack for file
    creation and file overwriting.  (lpd is running as user bin, group
    root )

    The second problem is that  a lot of the helper  applications were
    not built with security in mind.  One example of this is groff.

    There are  several troff/groff  'requests' that  allow commands to
    be  executed.    The  result   is  that   anyone  with   a  simple
    understanding  of  troff  can  send  a  troff document to a remote
    server, causing  the remote  server to  execute arbitrary commands
    as user bin, group root.

    It is  important to  note that  other operating  systems may use a
    print filter that will use applications like troff.  They are just
    as susceptible to attack as the operating systems listed above.

    Using these bugs, local users can overwrite files writable by user
    bin and/or group root or even execute commands as user bin,  group
    root.  From this point, a clever attacker can obtain root.

SOLUTION

    Patch/Fix:

    ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm
    ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm