Re: Possible weakness in LPD protocol

Warner Losh (imp@VILLAGE.ORG)
Fri, 03 Oct 1997 08:39:44 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Cy Schubert - ITSD Open Systems Group: "Re: Ulrich Flegel's SSH/X11 "vulnerability""
Previous message: Wietse Venema: "Re: TCPwrappers race condition"
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Doug Hughes: "Re: Possible weakness in LPD protocol"

: SOLUTIONS ???
: These holes are due to the implementation of the lpr protocol and the
: fact that lpd runs as root. I am sure that there may be many solutions
: to this, but At first glance I think that by checking for a '/' in the
: filenames would cause the program to react when someone tries to print
: files from outside of the queue directory.

Both OpenBSD and FreeBSD disallow any files with / in them in the code
that was quoted. So this isn't a problem in either of those systems.
I don't have a current NetBSD source tree online at the moment, or I'd
check there.

The following csh code
while (1)
mail blah blah blah
end
allows effective mail bombing as well. And if you control root for
the machine in question, you can use sendmail to forge the mail from
any address that you want. And even if you aren't effective mail
forging programs are a dime a dozen and are more general in their
damage. What is the threat here?

Warner

Next message: Cy Schubert - ITSD Open Systems Group: "Re: Ulrich Flegel's SSH/X11 "vulnerability""
Previous message: Wietse Venema: "Re: TCPwrappers race condition"
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Doug Hughes: "Re: Possible weakness in LPD protocol"