Bugtraq mailing list archives

Re: Possible weakness in LPD protocol

From: roessler () GUUG DE (Thomas Roessler)
Date: Fri, 3 Oct 1997 02:43:16 +0200


On October 02 1997, Bennett Samowich wrote:

1.) Obtaining hard (or possibly soft) copies of any file on the system.
2.) Deleting any file on the system.
3.) Creating a file on the system.
4.) Mail bombing.


5.) Overflow at least one buffer from the network; this is just
above the "print any file" part of recvjob.c:

                cp = line;
                do {
                        if ((size = read(1, cp, 1)) != 1) {
                                if (size < 0)
                                        frecverr("%s: Lost connection",printer);
                                return(nfiles);
                        }
                } while (*cp++ != '\n');


Consequences aren't really obvious, but you may be able to do
nasty things.

Will we ever get rid of gets()?  (lpd source tree is from some
recent RedHat distribution.)

tlr
--
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
   1280/593238E1 · AE 24 38 88 1B 45 E4 C6  03 F5 15 6E 9C CA FD DB

Current thread:

Security Bulletin for telnet services in HP-UX rel. 10.30 Aleph One (Oct 01)
- underestimating crackers Tim Newsham (Oct 01)
  - Re: underestimating crackers John Bashinski (Oct 02)
- [RISKS DIGEST 19.40] Possible breakthrough in NP-completeness Brian Tao (Oct 01)
- Possible weakness in LPD protocol Bennett Samowich (Oct 02)
  - Re: Possible weakness in LPD protocol Thomas Roessler (Oct 02)
    - Re: Possible weakness in LPD protocol Christopher Masto (Oct 03)
    - xc Aleph One (Oct 03)
- NT Domain Authentication Protocol - draft Aleph One (Oct 02)