From ksrt@dec.net Mon Oct 27 13:47:52 1997 Date: Sat, 25 Oct 1997 08:22:39 -0700 From: "KSR[T]" To: BUGTRAQ@NETSPACE.ORG Subject: KSR[T] Advisory #004: printfilter / groff / lpd ----- KSR[T] Website : http://www.dec.net/ksrt E-mail: ksrt@dec.net ----- KSR[T] Advisory #004 Date: Oct 6, 1997 ID #: lin-lpdg-004 Operating System(s): Redhat Linux 4.2 Affected Program: lpd / printfilter / groff Problem Description: The printfilter software package that comes with Redhat Linux is called by lpd to determine the type of file that is being printed, and then to apply the appropriate 'filter' so that the file will be printed properly. The 'filters' are usually shell scripts that call a helper application. The first problem is that some of these filters use /tmp as scratch space, which opens up a symlink attack for file creation and file overwriting. ( lpd is running as user bin, group root ) The second problem is that a lot of the helper applications were not built with security in mind. One example of this is groff. There are several troff/groff 'requests' that allow commands to be executed. The result is that anyone with a simple understanding of troff can send a troff document to a remote server, causing the remote server to execute arbitrary commands as user bin, group root. It is important to note that other operating systems may use a print filter that will use applications like troff. They are just as susceptible to attack as the operating systems listed above. Compromise: local users can overwrite files writable by user bin and/or group root. local and remote users can execute commands as user bin, group root. From this point, a clever attacker can obtain root. Patch/Fix: Erik Troan has put updated RPMS online at: ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm