Date: 07 March 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.030 -- SNI Security Advisory - FreeBSD lpd
7 March 1997
===========================================================================
Secure Networks Inc. has released the following advisory concerning a
vulnerability in all FreeBSD lpd implementations. This vulnerablility
may allow local and remote users to gain root access.
This following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for SNI is included in the Security Bulletin below.
If you have any questions or need further information, please contact them
directly.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
Security Advisory
March 5, 1997
FreeBSD lpd Security Vulnerability
There is a serious security vulnerability in all FreeBSD lpd implementations
This vulnerability allows remote users to gain unauthorized root access to any
system allowing connections to the line printer daemon (lpd).
A user is not required to be in lpd's access list (/etc/hosts.lpd) to exploit
this vulnerability, as the problem occurs while lpd is attempting to determine
whether the host is permitted to connect.
Problem Description
~~~~~~~~~~~~~~~~~~~
The vulnerability is present in the source file lib/libc/net/rcmd.c, which
contains the function __ivaliduser(). This function is used by the line
printer daemon (lpd) to determine whether the user connecting to the daemon
is in it's access list (contained in /etc/hosts.lpd). When performing a
domain name lookup on the connecting IP address, the resulting response is
copied into a fixed size buffer of size MAXHOSTNAMELEN (256 bytes). Since
DNS responses containing a hostname and domain name are currently allowed to
exceed 256 bytes, overflow can occur. The faulty code follows:
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
return (-1);
strcpy(hname, hp->h_name);
The string copy is done without any bounds checking. Corrected code looks as
follows:
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL)
return (-1);
strncpy(hname, hp->h_name, sizeof(hname));
hname[sizeof(hname)-1] = '�';
Vulnerable Systems
~~~~~~~~~~~~~~~~~~
This security vulnerability only applies to the FreeBSD operating system.
FreeBSD 2.1.5 is vulnerable
FreeBSD 2.1.6 is vulnerable
FreeBSD 2.1.7 is vulnerable
FreeBSD 2.2 Gamma is vulnerable
FreeBSD 2.2 is not vulnerable
FreeBSD -current is vulnerable for dates prior to February 25, 1997
Corrected in -current, and -stable as of February 25, 1997.
Workaround
~~~~~~~~~~
If the system in question does not require the use of printing services, lpd
should be removed or commented out from the system startup file /etc/rc.
If you require the use of printing services, this vulnerability can be fixed
by applying the following patch to lib/libc/net/rcmd.c. This patch has been
known to apply to all FreeBSD 2.x systems.
- --- CUT HERE ---
*** libc/lib/net/rcmd.c.old Tue Feb 25 15:33:42 1997
- --- libc/lib/net/rcmd.c Tue Feb 25 15:33:56 1997
***************
*** 377,383 ****
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
AF_INET)) == NULL)
return (-1);
! strcpy(hname, hp->h_name);
while (fgets(buf, sizeof(buf), hostf)) {
p = buf;
- --- 377,384 ----
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
AF_INET)) == NULL)
return (-1);
! strncpy(hname, hp->h_name, sizeof(hname));
! hname[sizeof(hname)-1] = '�';
while (fgets(buf, sizeof(buf), hostf)) {
p = buf;
- --- CUT HERE ---
At this point, libc will have to be recompiled. lpd is shipped dynamically
linked under FreeBSD, therefore the fix will take effect without recompiling
lpd itself.
Attributions
~~~~~~~~~~~~
Information about FreeBSD can be found at http://www.freebsd.org
You can contact the author of this advisory at oliver@secnet.com
Type Bits/KeyID Date User ID
pub 1024/0E7BBA7D 1996/09/18 Oliver Friedrichs <oliver@secnet.com>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
- -----END PGP PUBLIC KEY BLOCK-----
Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories
You can browse our web site at http://www.secnet.com
You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMyAHvCh9+71yA2DNAQHC7gP+OdbNsmgezPTy3/uGjNr4hkiG1qn1UJ6B
xwtLLRxXBNPQ44U4+F4tZyQoobemh+oyuVIPz6JR6NjPGIY4/j99g7dUE1SFWap+
WlCgu/a7jCRCJ7tofZQ7gkYloMlgzKSKg9iymLd5Yj7fMDxa9L/obpxc1QupZNr8
CQBT85DAfNE=
=j1e4
-----END PGP SIGNATURE-----
|