Bugtraq mailing list archives
Re: Possible weakness in LPD protocol
From: perhaps () YES NO (Eivind Eklund)
Date: Fri, 3 Oct 1997 22:19:50 +0200
On October 02 1997, Bennett Samowich wrote:1.) Obtaining hard (or possibly soft) copies of any file on the system. 2.) Deleting any file on the system. 3.) Creating a file on the system. 4.) Mail bombing.5.) Overflow at least one buffer from the network; this is just above the "print any file" part of recvjob.c: cp = line; do { if ((size = read(1, cp, 1)) != 1) { if (size < 0) frecverr("%s: Lost connection",printer); return(nfiles); } } while (*cp++ != '\n'); Consequences aren't really obvious, but you may be able to do nasty things. Will we ever get rid of gets()? (lpd source tree is from some recent RedHat distribution.)
This is fixed in OpenBSD and FreeBSD. Linux people should learn to track what others do ;-) The problems with '/' in filenames is fixed, too. The mail-bombing might still be an issue, but there are lots of other ways to do that, so I don't really think it warrants our attention (besides which I can't see any way to fix it). Eivind.
Current thread:
- Re: L0pht Advisory: IMAP4rev1 imapd server, (continued)
- Re: L0pht Advisory: IMAP4rev1 imapd server Casper Dik (Oct 09)
- Security flaw in PGPverify of INN Lutz Donnerhacke (Oct 09)
- Re: L0pht Advisory: IMAP4rev1 imapd server Kragen Sitaker (Oct 09)
- Security flaw in Count.cgi (wwwcount) Razvan Dragomirescu (Oct 10)
- Huge security holes in Microsoft FP98 server extensions for Apache Marc Slemko (Oct 11)
- Re: Huge security holes in Microsoft FP98 server extensions for Aleph One (Oct 11)
- DOS PC FTP SERVER Efrain Torres Mejia (Oct 11)
- _very_ poor ISN generation on Ascend MAX (fwd) Marc Slemko (Oct 11)
- Another way to exploit local classes in Java Andre L. Dos Santos (Oct 08)
- Re: Possible weakness in LPD protocol Oliver Friedrichs (Oct 03)
- Re: Possible weakness in LPD protocol Eivind Eklund (Oct 03)
- Re: Possible weakness in LPD protocol Doug Hughes (Oct 05)