Bugtraq mailing list archives
Re: Possible weakness in LPD protocol
From: roessler () GUUG DE (Thomas Roessler)
Date: Fri, 3 Oct 1997 02:43:16 +0200
On October 02 1997, Bennett Samowich wrote:
1.) Obtaining hard (or possibly soft) copies of any file on the system. 2.) Deleting any file on the system. 3.) Creating a file on the system. 4.) Mail bombing.
5.) Overflow at least one buffer from the network; this is just above the "print any file" part of recvjob.c: cp = line; do { if ((size = read(1, cp, 1)) != 1) { if (size < 0) frecverr("%s: Lost connection",printer); return(nfiles); } } while (*cp++ != '\n'); Consequences aren't really obvious, but you may be able to do nasty things. Will we ever get rid of gets()? (lpd source tree is from some recent RedHat distribution.) tlr -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 1280/593238E1 · AE 24 38 88 1B 45 E4 C6 03 F5 15 6E 9C CA FD DB
Current thread:
- Security Bulletin for telnet services in HP-UX rel. 10.30 Aleph One (Oct 01)
- underestimating crackers Tim Newsham (Oct 01)
- Re: underestimating crackers John Bashinski (Oct 02)
- [RISKS DIGEST 19.40] Possible breakthrough in NP-completeness Brian Tao (Oct 01)
- Possible weakness in LPD protocol Bennett Samowich (Oct 02)
- Re: Possible weakness in LPD protocol Thomas Roessler (Oct 02)
- Re: Possible weakness in LPD protocol Christopher Masto (Oct 03)
- xc Aleph One (Oct 03)
- Re: Possible weakness in LPD protocol Thomas Roessler (Oct 02)
- NT Domain Authentication Protocol - draft Aleph One (Oct 02)
- underestimating crackers Tim Newsham (Oct 01)