Re: Possible weakness in LPD protocol

Thomas Roessler (roessler@GUUG.DE)
Fri, 03 Oct 1997 02:43:16 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John W. Temples: "Re: TCPwrappers race condition"
Previous message: Aleph One: "web.sql vulnerability"
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Eivind Eklund: "Re: Possible weakness in LPD protocol"

On October 02 1997, Bennett Samowich wrote:

> 1.) Obtaining hard (or possibly soft) copies of any file on the system.
> 2.) Deleting any file on the system.
> 3.) Creating a file on the system.
> 4.) Mail bombing.

5.) Overflow at least one buffer from the network; this is just
above the "print any file" part of recvjob.c:

cp = line;
do {
if ((size = read(1, cp, 1)) != 1) {
if (size < 0)
frecverr("%s: Lost connection",printer);
return(nfiles);
}
} while (*cp++ != '\n');

Consequences aren't really obvious, but you may be able to do
nasty things.

Will we ever get rid of gets()? (lpd source tree is from some
recent RedHat distribution.)

tlr

--
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
   1280/593238E1 · AE 24 38 88 1B 45 E4 C6  03 F5 15 6E 9C CA FD DB

Next message: John W. Temples: "Re: TCPwrappers race condition"
Previous message: Aleph One: "web.sql vulnerability"
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Eivind Eklund: "Re: Possible weakness in LPD protocol"