Date: Wed, 23 Sep 1998 12:55:32 +0200
From: Tom <[email protected]>
To: [email protected]Subject: more HylaFAX problems
Hi.
While setting up the HylaFAX package of S.u.S.E.
Linux 5.1 I found some nice security holes in
the fax-filter.
1. the spool-file (fax_$USER.ps) is
created w/ mode 666 and has U/GID
'lp' - this bug allows modification
of the spool-file... which doesn't seem
very dangerous but think about a fax which
contains the company's logo, the name
of a top-manager and some malicious
information
solution: set umask in filter-script
2. another scary fact is, that the filter-
script doesn't check for an already
existing "spool"-file or link
now, an attacker is able to overwrite
files w/ the perm. of 'lp' and to
modify the file (mode: 666)
the attacker is also able to exploit
possible holes in 'lpd' by creating
malicious spool-files and s/he could
execute commands w/ the UID of 'lp' by
creating and rewriting filter-scripts,
that are in /etc/printcap but aren't
created
if the attacker could access the faxspool
direc. und user 'lp' owns the filter-script,
s/he has the ability to overwrite the script,
which leads to an DoS attack
(hm, what would happen if the attacker links
the spool-file to /dev/null or /dev/zero?)
solution: use the builtin-shell-command
'test' or better recodeing of the filter-
script in C/++ or Perl using open(O_EXCL|O_CREAT)
and using another spool-direc, otherwise
an local (maybe remote) DoS attack still
exists
3. if the attacker is able to remotely set
a username of his/her own choice, i.e.
`echo "+ +" > ~lp/.rhosts, by faking the
network-protocol of the HylaFAX system
s/he could gain remote access to the
HylaFAX server...
... it's a bad idea to set a shell in
/etc/passwd for the user 'lp'
I notified the auditing-team of suse.de about
that bugs... I hope they will release a patch
as soon as possible.
Greets,
Thomas Biege
