Date: Wed, 5 Mar 1997 14:08:16 -0500 (EST) From: Sire Lancelot du Lac <lancelot@snail.slow.net> To: freebsd-security@freebsd.org Subject: FreeBSD lpd Security Vulnerability (fwd) Message-ID: <Pine.BSF.3.91.970305140805.16934B-100000@snail.slow.net>
next in thread | raw e-mail | index | archive | help
Christian Doucet lancelot@slow.net work: +1 514 728 1618
Freelance "Sysadmin-Programmer-UNIX-Internet" guru! home: +1 514 728 1618
Y'a rien de plus troublant qu'un trou noir. -- Sol (Marc Favreau)
This sentance has threee errors. -- trurl@yakko.nceye.net
This sentence no verb. -- someone
The answer to life, the universe and sendmail is 25 -- chimmy@knott12.ncl.ac.uk
---------- Forwarded message ----------
Date: Wed, 5 Mar 1997 00:32:02 -0700
From: Oliver Friedrichs <oliver@SECNET.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: FreeBSD lpd Security Vulnerability
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
Security Advisory
March 5, 1997
FreeBSD lpd Security Vulnerability
There is a serious security vulnerability in all FreeBSD lpd implementations
This vulnerability allows remote users to gain unauthorized root access to any
system allowing connections to the line printer daemon (lpd).
A user is not required to be in lpd's access list (/etc/hosts.lpd) to exploit
this vulnerability, as the problem occurs while lpd is attempting to determine
whether the host is permitted to connect.
Problem Description
~~~~~~~~~~~~~~~~~~~
The vulnerability is present in the source file lib/libc/net/rcmd.c, which
contains the function __ivaliduser(). This function is used by the line
printer daemon (lpd) to determine whether the user connecting to the daemon
is in it's access list (contained in /etc/hosts.lpd). When performing a
domain name lookup on the connecting IP address, the resulting response is
copied into a fixed size buffer of size MAXHOSTNAMELEN (256 bytes). Since
DNS responses containing a hostname and domain name are currently allowed to
exceed 256 bytes, overflow can occur. The faulty code follows:
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
return (-1);
strcpy(hname, hp->h_name);
The string copy is done without any bounds checking. Corrected code looks as
follows:
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
return (-1);
strncpy(hname, hp->h_name, sizeof(hname));
hname[sizeof(hname)-1] = '\0';
Vulnerable Systems
~~~~~~~~~~~~~~~~~~
This security vulnerability only applies to the FreeBSD operating system.
FreeBSD 2.1.5 is vulnerable
FreeBSD 2.1.6 is vulnerable
FreeBSD 2.1.7 is vulnerable
FreeBSD 2.2 Gamma is vulnerable
FreeBSD 2.2 is not vulnerable
FreeBSD -current is vulnerable for dates prior to February 25, 1997
Corrected in -current, and -stable as of February 25, 1997.
Workaround
~~~~~~~~~~
If the system in question does not require the use of printing services, lpd
should be removed or commented out from the system startup file /etc/rc.
If you require the use of printing services, this vulnerability can be fixed
by applying the following patch to lib/libc/net/rcmd.c. This patch has been
known to apply to all FreeBSD 2.x systems.
--- CUT HERE ---
*** libc/lib/net/rcmd.c.old Tue Feb 25 15:33:42 1997
--- libc/lib/net/rcmd.c Tue Feb 25 15:33:56 1997
***************
*** 377,383 ****
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
AF_INET)) == NULL)
return (-1);
! strcpy(hname, hp->h_name);
while (fgets(buf, sizeof(buf), hostf)) {
p = buf;
--- 377,384 ----
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
AF_INET)) == NULL)
return (-1);
! strncpy(hname, hp->h_name, sizeof(hname));
! hname[sizeof(hname)-1] = '\0';
while (fgets(buf, sizeof(buf), hostf)) {
p = buf;
--- CUT HERE ---
At this point, libc will have to be recompiled. lpd is shipped dynamically
linked under FreeBSD, therefore the fix will take effect without recompiling
lpd itself.
Attributions
~~~~~~~~~~~~
Information about FreeBSD can be found at http://www.freebsd.org
You can contact the author of this advisory at oliver@secnet.com
Type Bits/KeyID Date User ID
pub 1024/0E7BBA7D 1996/09/18 Oliver Friedrichs <oliver@secnet.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----
Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories
You can browse our web site at http://www.secnet.com
You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970305140805.16934B-100000>