RedHat lpr Arbitrary Command Execution Vulnerability
BID:1834
Info
RedHat lpr Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 1834 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Oct 20 2000 12:00AM |
| Updated: | Oct 20 2000 12:00AM |
| Credit: | First posted to Bugtraq by zenith parsec <[email protected]> on Oct 20, 2000. |
| Vulnerable: |
BSD lpr 0.54 -4 |
| Not Vulnerable: |
Redhat Linux 7.0 |
Discussion
RedHat lpr Arbitrary Command Execution Vulnerability
lpr is a set of printing tools for unix systems. The lpr package that ships with RedHat Linux 6.2 (and possibly earlier versions) contains a vulnerability that will allow an attacker to execute arbitrary commands with the privileges of group 'lp'.
The vulnerability is not in one of the binary executables, rather in one of the print filters supplied with the lpr package. It is in the processing of troff files, their conversion into postscript files for printing on a postscript printer.
When the processing occurs, certain commands embedded in the troff file being processed can be executed -- with the privileges of the setgid lpr. This is the result of formatting programs being executed by the print filter in an unsafe manner.
Compromise of group lp access may lead to further compromise as the lpr configuration files are writeable to members of group lp. If lpr configuration files are modified, arbitrary commands can be run as any user other than root. This will most certainly eventually lead to root access for the attacker (a excellent example of this is in the zenith parsec's bugtraq post in the reference section).
lpr is a set of printing tools for unix systems. The lpr package that ships with RedHat Linux 6.2 (and possibly earlier versions) contains a vulnerability that will allow an attacker to execute arbitrary commands with the privileges of group 'lp'.
The vulnerability is not in one of the binary executables, rather in one of the print filters supplied with the lpr package. It is in the processing of troff files, their conversion into postscript files for printing on a postscript printer.
When the processing occurs, certain commands embedded in the troff file being processed can be executed -- with the privileges of the setgid lpr. This is the result of formatting programs being executed by the print filter in an unsafe manner.
Compromise of group lp access may lead to further compromise as the lpr configuration files are writeable to members of group lp. If lpr configuration files are modified, arbitrary commands can be run as any user other than root. This will most certainly eventually lead to root access for the attacker (a excellent example of this is in the zenith parsec's bugtraq post in the reference section).
Solution / Fix
RedHat lpr Arbitrary Command Execution Vulnerability
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].