Subject: Security hole in lpr
To: None <current-users@NetBSD.ORG>
From: Rick Byers <rickb@iaw.on.ca>
List: current-users
Date: 03/02/1997 16:43:38
Hi There,
I just caught someone tryting to exploit a hole in lpr on our NetBSD 1.2
machine.  I've got the source code of what he was trying, but I don't want
to post it incase it gets into the wrong hands...

Basically, he was utilizing a buffer overflow in lpr by calling 
lpr -C bigbuf

where bigbuff was a string that would eventually cause a root shell to get
called.  As far as I can tell (accounting logs) he was NOT successfull.  I
tried it on my machine at home, and it just said "unknown printer".  I've
just been looking at the source code though, and here is where i've
narrowed it down to:

/*
 * Put a line into the control file.
 */
static void
card(c, p2)
        register int c;
        register char *p2;
{
        char buf[BUFSIZ];
        register char *p1 = buf;
        register int len = 2;

        *p1++ = c;
        while ((c = *p2++) != '\0') {
                *p1++ = (c == '\n') ? ' ' : c;
                len++;
        }
        *p1++ = '\n';
        write(tfd, buf, len);
}

card gets called with c='C' and p2 is a pointer to his buffer.  Characters
get coppied into p1 from p2 without any check for overflow!  BUFSIZ is
1024.  The obvious fix is to change the while to:
while (len < BUFSIZ && (c = *p2++) != '\0' )

Since we don't use the printer stuff, I just turned off the setuid bits.
(actually, I've just removed most of the entire lpd set from our machine).

If any of you development people want the exploit program, let me know and
I can send it to you.  I expect you could guess exactly how it works
though.

He was actually editing the program when I tried to talk with him.  He
wouldn't respond so I just kicked him off and disabled his account.  I'm
sure it was just a matter of time before he got it right...  It's just
lucky that I noticed him.  We're small enough that I'm used to who is
usually on the system doing what.  I'm only part time though, and I won't
catch everything...

 It scares the crap out of me that unchecked copying like that occurs in
setuid programs.  We'd have a major problem if we suffered a root
comprimise.  Has there been any effort to do what the OpenBSD group did
(or atleast copy what they did), and sift through all of the code for
setuid programs looking for that sort of thing?  I'd be very willing to
donate some time to help with that effort. 

Thanks,
	Rick

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb@iaw.on.ca                                      System Administrator
Welland, Ontario, Canada                                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/