KSR[T] Advisory #004: printfilter / groff / lpd

KSR[T] (ksrt@dec.net)
Sat, 25 Oct 1997 08:22:39 -0700

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

KSR[T] Advisory #004
Date: Oct 6, 1997
ID #: lin-lpdg-004

Operating System(s): Redhat Linux 4.2

Affected Program: lpd / printfilter / groff

Problem Description: The printfilter software package that comes with
Redhat Linux is called by lpd to determine the type
of file that is being printed, and then to apply
the appropriate 'filter' so that the file will be
printed properly.

The 'filters' are usually shell scripts that call
a helper application. The first problem is that
some of these filters use /tmp as scratch space,
which opens up a symlink attack for file creation
and file overwriting. ( lpd is running as user bin,
group root )

The second problem is that a lot of the helper
applications were not built with security in mind.
One example of this is groff.

There are several troff/groff 'requests' that allow
commands to be executed. The result is that anyone
with a simple understanding of troff can send
a troff document to a remote server, causing the
remote server to execute arbitrary commands as
user bin, group root.

It is important to note that other operating systems
may use a print filter that will use applications
like troff. They are just as susceptible to attack as
the operating systems listed above.

Compromise: local users can overwrite files writable by user bin
and/or group root.

local and remote users can execute commands as user
bin, group root. From this point, a clever attacker
can obtain root.
Patch/Fix:

Erik Troan <ewt@redhat.com> has put updated RPMS online at:

ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm
ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm