LPRng Vulnerability

Updated 12/23/02
CVE 2000-0917
CVE 2001-1002
CAN 2002-0836

Impact

If vulnerabilities are present in LPRng, a remote attacker could execute arbitrary code on the server. Also, Internet worms have been known to exploit vulnerabilities in LPRng to further their propogation.

Background

The print process is controlled by a process called lpd. The lpd process is a UNIX daemon that accepts print requests from local and remote users. LPRng is a popular version of lpd which provides enhancements and comes enabled by default with several open-source operating systems.

LPRng can include a number of optional files called print filters which provide the print service with instructions on processing specific document types. One such filter is available to process Device Independent (DVI) files. The DVI print filter uses the dvips utility (part of the teTeX package) to convert DVI documents to PostScript.

The Problem

CVE 2000-0917
There are two problems in LPRng which could allow a remote attacker to gain unauthorized access to the system. The first problem is caused by missing format strings in calls to the syslog function. This bug could allow a remote attacker to cause a segmentation fault and crash the print service. Furthermore, arbitrary code injected into the print service's memory space by other means could be executed. Versions of LPRng prior to 3.6.25 are affected by this vulnerability.

8/29/01
12/23/02
CVE 2001-1002
CAN 2002-0836
The second problem is not a vulnerability in LPRng itself, but instead is caused by the DVI print filter. If the print filter calls the dvips program without the appropriate security option, or if the dvips program itself is vulnerable, it could be possible for a remote attacker to execute arbitrary commands by embedding the commands into a DVI document which is sent to the print service. This vulnerability can only be exploited if both of the following conditions exist:

  1. The DVI print filter is present. (It is usually called dvi-to-ps.fpi.)
  2. The dvips utility is present.

Resolution

If print service is not needed, disable lpd. Otherwise, the format string vulnerability can be fixed by upgrading to the latest version of LPRng. The DVI print filter vulnerability can be fixed by installing fixed tetex packages from your vendor, or, if DVI printing functionality is not needed, by removing the DVI print filter as follows: 
rm -f /usr/share/printconf/mf_rules/mf40-tetex_filters
rm -f /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
The above commands are for Red Hat Linux. The paths may vary on other operating systems.

Where can I read more about this?

More information on the format string vulnerability is available from CERT Advisory 2000-22. The problems in the DVI print filter were posted to Bugtraq, Red Hat Security Advisory 2002:194, and Debian Security Advisory 207.