Bugtraq mailing list archives
Re: Possible weakness in LPD protocol
From: imp () VILLAGE ORG (Warner Losh)
Date: Fri, 3 Oct 1997 08:39:44 -0600
: SOLUTIONS ??? : These holes are due to the implementation of the lpr protocol and the : fact that lpd runs as root. I am sure that there may be many solutions : to this, but At first glance I think that by checking for a '/' in the : filenames would cause the program to react when someone tries to print : files from outside of the queue directory. Both OpenBSD and FreeBSD disallow any files with / in them in the code that was quoted. So this isn't a problem in either of those systems. I don't have a current NetBSD source tree online at the moment, or I'd check there. The following csh code while (1) mail blah blah blah end allows effective mail bombing as well. And if you control root for the machine in question, you can use sendmail to forge the mail from any address that you want. And even if you aren't effective mail forging programs are a dime a dozen and are more general in their damage. What is the threat here? Warner
Current thread:
- Re: Possible weakness in LPD protocol Warner Losh (Oct 03)
- Re: Possible weakness in LPD protocol Brett Lymn (Oct 08)
- L0pht Advisory: IMAP4rev1 imapd server We got Food - Fuel - Ice-cold Beer - and X.509 certificates (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
- SNMP Insecurity Aleph One (Oct 08)
- Malicious Linux modules Runar Jensen (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Casper Dik (Oct 09)
- Security flaw in PGPverify of INN Lutz Donnerhacke (Oct 09)
- Re: L0pht Advisory: IMAP4rev1 imapd server Kragen Sitaker (Oct 09)
- Security flaw in Count.cgi (wwwcount) Razvan Dragomirescu (Oct 10)
- Huge security holes in Microsoft FP98 server extensions for Apache Marc Slemko (Oct 11)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
(Thread continues...)