The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multi-Plattform-Problem: lpr Puffer-Ueberlauf

-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

AUSCERT hat ein Advisory bezueglich eines Problems mit dem weit
verbreiteten Programm lpr analysiert. Bei mehreren Systemen kann
jeder lokale Benutzer mit Hilfe eines Puffer-Ueberlaufes ROOT-
Rechte auf betroffenen Rechnern erlangen, sofern fuer das lpr-
Programm das SETUID ROOT Bit gesetzt ist.

Das entsprechende Advisory, das Informationen bezueglich der Systeme

        - BSD/OS                verwundbar
        - FreeBSD 2.x           verwundbar
        - LINUX                 verwundbar

        - AIX                   *nicht* verwundbar

enthaelt, bietet auch die Moeglichkeit, einen Wrapper (Quellcode als
Teil des Advisories) einzusetzen, um die Ausnutzung der existierenden
Sicherheitsluecke zu verhindern.

Zur Zeit werden weitere Systeme untersucht, allerdings liegen zum
jetzigen Zeitpunkt keine weiteren Informationen vor.

Mit freundlichen Gruessen,

        Peter Kossakowski
        
- --
Klaus-Peter Kossakowski               DFN-CERT, University of Hamburg
kossakowski@cert.dfn.de               Fachbereich Informatik - RZ 
Tel.:+49-40-5494-2262, Fax: -2241     Vogt-Koelln-Strasse 30, D-22527 Hamburg
PGP-Key available via finger kossakow@concert.cert.dfn.de or any key-server
PEM-Key available via finger kossakow@concert.cert.dfn.de or by mail request 
Team: http://www.cert.dfn.de/ Person: http://www.cert.dfn.de/team/kpk/


===========================================================================
AA-96.12                        AUSCERT Advisory
                        lpr buffer overrun vulnerability
                                26 November 1996

Last Revised: 26 November 1996
                 Minor change to comments in lpr_wrapper program.

- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the BSD
based printing software, lpr, available on a variety of Unix platforms.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made
publicly available.

AUSCERT recommends that sites take the steps outlined in section 3
as soon as possible.
- ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    BSD based lpr printing package found on many Unix systems.

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of the
    lpr program while it is executing.  This can allow an intruder to
    cause lpr to execute arbitrary commands by supplying a carefully
    designed argument to lpr.  These commands will be run with the
    privileges of the lpr program.  When lpr is installed setuid or setgid,
    it may allow intruders to gain those privileges.

    When lpr is setuid root it may allow intruders to run arbitrary
    commands with root privileges.

    This vulnerability is currently known to affect versions of lpr
    distributed with:

        BSD/OS
        FreeBSD 2.x
        Linux

    More details may be found in Section 3.1.  Other platforms using the
    BSD based lpr systems, in which lpr is installed setuid or setgid,
    may also be vulnerable.

    This advisory will be updated as more information becomes available.

    Note that the vulnerability described in this advisory is not present
    in the LPRng printing package.

2.  Impact

    Local users may gain root privileges.

3.  Workarounds/Solution

    The lpr printing package is available on many different systems.
    As vendor patches are made available sites are encouraged to
    install them (Section 3.1).  Until vendor patches are available, AUSCERT
    recommends that sites apply the workaround given in Section 3.2.

3.1 Install vendor patches

    Specific vendor information has been placed in Appendix A.  If the
    BSD based lpr printing software is used and your vendor is not listed
    in Appendix A, AUSCERT recommends that sites contact vendors directly
    for more information.

    If vendor patches are not currently available, vulnerable sites are
    encouraged to apply the workaround given in Section 3.2.

3.2 Install lpr wrapper

    AUSCERT has developed a wrapper to help prevent lpr being exploited
    using this vulnerability.  This wrapper, including installation
    instructions, can be found in Appendix B.

    AUSCERT recommends that until vendor patches can be installed,
    sites apply this workaround.

...........................................................................
Appendix A  Vendor information

The following information regarding this vulnerability for specific vendor
versions of lpr has been made available to AUSCERT.  For additional
information, sites should contact their vendors directly.

BSD/OS
- ------

BSDI have issued a patch which addresses this vulnerability under
BSD/OS 2.1.  This patch is available from:

        ftp://ftp.bsdi.com/pub/bsdi/patches/patches-2.1/U210-028

FreeBSD
- -------

The FreeBSD security team have released an advisory describing this
vulnerability and patch information for FreeBSD 2.x.  This advisory
(SA-96.18) is available from:

        ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:18.lpr.asc

Patches can be found in the directory:

        ftp://freebsd.org/pub/CERT/patches/SA-96:18

IBM Corporation
- ---------------

  AIX is not vulnerable to the lpr buffer overflow.  The version of lpr
  shipped with AIX is not installed with the setuid bit turned on.


  IBM and AIX are registered trademarks of International Business Machines
  Corporation.

Linux
- -----

The Linux Emergency Response Team have released a Linux Security FAQ
Update which addresses this vulnerability.  This Update contains
information regarding various Linux distributions.  It is available
from:

        ftp://bach.cis.temple.edu/pub/Linux/Security/FAQ/updates/
                   Update-11-25-1996.vulnerability-lpr-0.06-v1.2

...........................................................................
Appendix B  lpr wrapper

/*
 * lpr_wrapper.c -- wrap lpr to prevent a command line buffer overrun
 *
 *      This wrapper is part of AUSCERT Advisory AA-96.12.  The latest
 *      version of this advisory is available from:
 *
 *      ftp://ftp.auscert.org.au/pub/auscert/advisory/
 *                              AA-96.12.lpr.buffer.overrun.vul
 *
 *      This program is designed to be an interim relief measure
 *      until official vendor patches are made available.
 *
 *
 * Author:      AUSCERT
 *              Prentice Centre
 *              The University of Queensland
 *              Qld.  4072.
 *              Australia.
 *
 *              auscert@auscert.org.au
 *
 * DISCLAIMER:  The use of this program is at your own risk.  It is
 *              designed to combat a particular vulnerability, and may
 *              not combat other vulnerabilities, either past or future.
 *              The decision to use this program is yours, as are the
 *              consequences of its use.
 *
 *              This program is designed to be an interim relief measure
 *              until appropriate patches can be obtained from your vendor.
 *
 *
 * Installation instructions
 * ~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 *  1.  su to root
 *
 *  2.  Determine the location of lpr.  On FreeBSD and Linux systems it
 *      is located in /usr/bin/.   For example purposes only, /usr/bin/
 *      will be used in following instructions for the location of lpr.
 *
 *  3.  Determine the permissions, owner, and group of lpr.  This
 *      information will be used later.  For example:
 *
 *              # ls -lg /usr/bin/lpr
 *
 *      If lpr does not have setuid or setgid permissions, the installation
 *      of this wrapper program is not necessary.  The version of lpr
 *      in this case does not contain the vulnerability described in
 *      this advisory.
 *
 *  4.  Copy the real lpr program to lpr.real, and then change the
 *      permissions on it.
 *
 *              # cd /usr/bin
 *              # cp lpr lpr.real
 *              # chmod 711 lpr.real
 *
 *  5.  Edit this wrapper program and define REAL_LPR.  By default,
 *      REAL_LPR is defined as "/usr/bin/lpr.real".   This should be
 *      an absolute pathname.
 *
 *  6.  Compile this program in a directory other than /usr/bin.
 *      For example to use /usr/local/src, first copy this file into
 *      /usr/local/src.
 *
 *              # cd /usr/local/src
 *              # cc -o lpr lpr_wrapper.c
 *
 *      If you wish error messages to be logged by syslog when
 *      arguments that may exploit the buffer overrun vulnerability
 *      are passed to lpr, add -DSYSLOG to the compile time options.
 *
 *              # cc -DSYSLOG -o lpr lpr_wrapper.c
 *
 *  7.  Copy this new wrapper program into the directory originally
 *      containing lpr.  This will replace the existing lpr program.
 *
 *      Make sure this directory and its parent directories are protected so
 *      only root is able to make changes to files in the directory.
 *
 *      Use the information found in step #3 and set the same
 *      owner, group, permissions and privileges on the new lpr program.
 *
 *      For example:
 *
 *              # cp lpr /usr/bin
 *              # cd /usr/bin
 *              # chown root lpr
 *              # chgrp daemon lpr
 *              # chmod 6711 lpr
 *
 *      Check that the owner, group, permissions and privileges exactly
 *      match those noted in step #3.
 *
 *              # ls -lg /usr/bin/lpr
 *
 *      Users will not be able to print during the time when the
 *      wrapper is copied into place until the chmod command has been
 *      executed.
 *
 * 8.   Check that printing still works!
 *
 */

static char     Version[] = "lpr_wrapper V1.0 26-Nov-1996";


#include <stdio.h>
#include <syslog.h>

/*
 * Make sure REAL_LPR points to the location you copied lpr to in
 * step #4.
 */

#define REAL_LPR "/usr/bin/lpr.real"

main(argc,argv,envp)
int     argc;
char    *argv[];
char    *envp[];
{
        int     ct;

        for (ct=1;ct<argc;ct++)
        {
                if (strlen(argv[ct]) > BUFSIZ)
                {
                        fprintf(stderr,"You have exceeded the argument length ...Exiting\n");
#ifdef SYSLOG
                        syslog(LOG_ERR,"Possible lpr buffer overrun attack by uid %d\n",getuid());
#endif

                        exit(1);
                }
        }
        execve(REAL_LPR,argv,envp);
        perror("execve lpr failed");
}

...........................................................................

- ---------------------------------------------------------------------------
AUSCERT thanks Alexander O. Yuriev, the FreeBSD security team, IBM, and the
CERT/CC for their assistance in the production of this advisory.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AUSCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

26 November 1996 Minor change to comments in lpr_wrapper program.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
t
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMpqzWqtL3vhTqvJZAQEdBgQAn4XfuMxpa/VMFP2UmKke2XIMDM4GPJbe
FhYDpHT33hajYOViRgVM3vN3UYDDSG134q3dd4gRSjZ/CDXXg/QCeJ3JM7DpmRfC
D6r1zohholQNpWfmn4bqgrN5x0Z2xHtftCKC0Yar2nT3t+RIpkzpAVESqTQgUqow
RUBARxGErrU=
=58y/
-----END PGP SIGNATURE-----


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com