Bugtraq mailing list archives
Re: Possible weakness in LPD protocol
From: Doug.Hughes () ENG AUBURN EDU (Doug Hughes)
Date: Sun, 5 Oct 1997 11:45:17 -0500
Thomas Roessler wrote:
On October 02 1997, Bennett Samowich wrote:1.) Obtaining hard (or possibly soft) copies of any file on the system. 2.) Deleting any file on the system. 3.) Creating a file on the system. 4.) Mail bombing.5.) Overflow at least one buffer from the network; this is just above the "print any file" part of recvjob.c: cp = line; do { if ((size = read(1, cp, 1)) != 1) { if (size < 0) frecverr("%s: Lost connection",printer); return(nfiles); } } while (*cp++ != '\n'); Consequences aren't really obvious, but you may be able to do nasty things. Will we ever get rid of gets()? (lpd source tree is from some recent RedHat distribution.)
Here's another one from common_source/common.c while ((c = getc(cfp)) != '\n') { if (c == EOF) return(0); if (c == '\t') { do { *lp++ = ' '; linel++; } while ((linel & 07) != 0); continue; } *lp++ = c; linel++; } *lp++ = '\0'; return(linel); A fix would appear to be to make the while like this: while ((c = getc(cfp)) != '\n' && linel < BUFSIZ-8) { Why BUFSIZ-8? leave space for tab expansion in inner do loop. It still should be a plenty long enough buffer. Or, add another check for linel in inner do loop. - ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug () eng auburn edu
Current thread:
- Security flaw in PGPverify of INN, (continued)
- Security flaw in PGPverify of INN Lutz Donnerhacke (Oct 09)
- Re: L0pht Advisory: IMAP4rev1 imapd server Kragen Sitaker (Oct 09)
- Security flaw in Count.cgi (wwwcount) Razvan Dragomirescu (Oct 10)
- Huge security holes in Microsoft FP98 server extensions for Apache Marc Slemko (Oct 11)
- Re: Huge security holes in Microsoft FP98 server extensions for Aleph One (Oct 11)
- DOS PC FTP SERVER Efrain Torres Mejia (Oct 11)
- _very_ poor ISN generation on Ascend MAX (fwd) Marc Slemko (Oct 11)
- Another way to exploit local classes in Java Andre L. Dos Santos (Oct 08)
- Re: Possible weakness in LPD protocol Oliver Friedrichs (Oct 03)
- Re: Possible weakness in LPD protocol Eivind Eklund (Oct 03)
- Re: Possible weakness in LPD protocol Doug Hughes (Oct 05)