LPRng Vulnerability
Updated 12/23/02
CVE 2000-0917
CVE 2001-1002
CAN 2002-0836
Impact
If vulnerabilities are present in LPRng, a remote attacker could
execute arbitrary code on the server. Also, Internet worms
have been known to exploit vulnerabilities in LPRng to further
their propogation.
Background
The print process is controlled by a process called lpd.
The lpd process is a UNIX daemon that accepts print
requests from local and remote users. LPRng
is a popular version of lpd which provides
enhancements and comes enabled by default with several
open-source operating systems.
LPRng can include a number of optional files called print
filters which provide the print service with instructions
on processing specific
document types. One such filter is available to process
Device Independent (DVI) files.
The DVI print filter uses the dvips utility
(part of the teTeX package)
to convert DVI documents to PostScript.
The Problem
CVE 2000-0917
There are two problems in LPRng which could allow a remote
attacker to gain unauthorized access to the system. The first
problem is caused by missing format strings in calls to the
syslog function. This bug could allow a
remote attacker to cause a segmentation fault and crash the
print service. Furthermore,
arbitrary code injected into the print service's memory
space by other means could be executed.
Versions of LPRng prior to 3.6.25 are affected by this
vulnerability.
8/29/01
12/23/02
CVE 2001-1002
CAN 2002-0836
The second problem is not a vulnerability in LPRng itself,
but instead is caused by the DVI print filter. If the print
filter calls the dvips program without the
appropriate security option, or if the dvips
program itself is vulnerable, it could
be possible for a remote attacker to execute arbitrary commands
by embedding the commands into a DVI document which is
sent to the print service. This vulnerability can only be
exploited if both of the following conditions exist:
- The DVI print filter is present. (It is usually called dvi-to-ps.fpi.)
- The dvips utility is present.
Resolution
If print service is not needed, disable lpd.
Otherwise, the format string vulnerability can be fixed by
upgrading to the latest
version of LPRng. The DVI print filter vulnerability can be
fixed by installing fixed tetex packages from
your vendor, or, if DVI printing functionality is not needed,
by removing the DVI print filter as follows:
rm -f /usr/share/printconf/mf_rules/mf40-tetex_filters
rm -f /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
The above commands are for Red Hat Linux. The paths may
vary on other operating systems.
Where can I read more about this?
More information on the format string vulnerability is available from
CERT
Advisory 2000-22. The problems in the DVI
print filter were posted to
Bugtraq,
Red Hat Security Advisory 2002:194, and
Debian Security Advisory 207.