Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Security problem with LPRng
From: papowell () ASTART COM (papowell () ASTART COM)
Date: Mon, 5 Jul 1999 09:09:29 -0700


From owner-bugtraq () netspace org Fri Jul  2 09:09:25 1999
Date:         Fri, 2 Jul 1999 11:38:13 +1000
From: Chris Leishman <masklin () DEBIAN ORG>
Subject:      Security problem with LPRng
To: BUGTRAQ () netspace org

--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hi all,

During some recent work I've been doing with LPRng, I found that is is
possible (on a default LPRng installation) to control the print queues on
the LPRng server.

Most default installations allow the root user at the localhost to send
control commands to the LPRng lpd server.  The authentication used is to
make sure that the packets are sent from a low (priviledged) source port
(RFC1179 specifies ports 721-731, although the LPRng howto specifies that
this has been extended to 512-1023).  This is why the lpc utility is usually
installed SUID root.

However, it appears that LPRng's lpd server fails to check the source port
correctly, so using a modified client that uses ports outside the allowed=
=20
range the server will accept the command.

An exploit that uses this technique to stop or start a print queue is appen=
ded=20
to this advisory.  It was written and tested on Debian GNU/Linux.  It is us=
ed=20
in the following way:

host:~$ /usr/sbin/lpc status
 Printer           Printing Spooling Jobs  Server   Slave Redirect Status/D=
ebug

lp () host             enabled  enabled    0    none    none

host:~$ gcc lpcontrol.c=20
host:~$ ./a.out
Usage: ./a.out printer [stop|start]
host:~$ ./a.out lp stop
host:~$ /usr/sbin/lpc status
 Printer           Printing Spooling Jobs  Server   Slave Redirect Status/D=
ebug

lp () host            disabled  enabled    0    none    none

host:~$


The author (papowell () astart com) has been notified, but the problem has not
been fully acknowledged.  Aside from a lot of random (and generally useless=
)=20
commentry regarding the insecurity of LPRng, NFS, SUID root programs, etc, =
the=20
only usefull suggestion was to add

REJECT=3DX NOT PORT=3D1-1023

to the lpd.perms control file.

One thing that he did mention is quoted below:


    You don't consider SETUID ROOT programs such as a particular
    implementation of lpq that has a stack overflow problem when
    you return long status to be a problem...


I haven't looked for stack overflows in detail yet, but this is a little
conserning since the default is to install lpq, lpc, etc SUID root.  While
I hope to have a good look into it, the code is extremely difficult to foll=
ow.


Have a nice day all,

Chris Leishman




As I have noted to Mr. Leishman,  you can configure the security
options in LPRng to check the originating port:

# check originating ports on connections
REJECT SERVICE=X NOT PORT=721-731

I will throw the above line into the default /etc/lpd.conf shipped
with LPRng on the next release,  but I repeat:

   THIS IS NOT REPEAT NOT A FIX FOR A LPRng SECURITY PROBLEM.
   THE PROBLEM IS THAT THE RFC1179 PROTOCOL IS INHERENTLY
   UNRELIABLE FOR AUTHENTICATION.

I consider running LPRng and any other print server SUID root a
major security issue, have stated this,  have written warnings
about this, and so forth,  but due to the large number of inexperienced
system administrators and other users who have problems dealing
with connection issues to other systems,  have been forced by the
large volume of 'reported problems connecting to other systems' to
make the default install SUID root.

I will note that using port origination as an authentication
mechanism has been shown to be highly susceptible to various attacks,
and while I have provided a mechanism to check for and enforce
connection origination and checking,  I place absolutely no reliance
on this,  and warn that there are many known methods to impersonate
and forge connections from systems that will compromise this security
mechanism.

If you are need to provide an authentication mechanism,  LPRng has
the ability to use PGP, Kerberos,  or a user develped mechanism for
authentication.

Patrick Powell

Patrick Powell                 Astart Technologies,
papowell () astart com            9475 Chesapeake Drive, Suite D,
Network and System             San Diego, CA 92123
  Consulting                   619-874-6543 FAX 619-279-8424
LPRng - Print Spooler (http://www.astart.com)

  By Date           By Thread  

Current thread:
  • Security problem with LPRng Chris Leishman (Jul 01)
    • <Possible follow-ups>
    • Re: Security problem with LPRng papowell () ASTART COM (Jul 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]