LPRng Vulnerability

Updated 8/29/01
CVE 2000-0917

Impact

If vulnerabilities are present in LPRng, a remote attacker could execute arbitrary code on the server. Also, Internet worms have been known to exploit vulnerabilities in LPRng to further their propogation.

Background

The print process is controlled by a process called lpd. The lpd process is a UNIX daemon that accepts print requests from local and remote users. LPRng is a popular version of lpd which provides enhancements and comes enabled by default with several open-source operating systems.

LPRng can include a number of optional files called print filters which provide the print service with instructions on processing specific document types. One such filter is available to process Device Independent (DVI) files. The DVI print filter uses the dvips utility (part of the teTeX package) to convert DVI documents to PostScript.

The Problem

There are two problems in LPRng which could allow a remote attacker to gain unauthorized access to the system. The first problem is caused by missing format strings in calls to the syslog function. This bug could allow a remote attacker to cause a segmentation fault and crash the print service. Furthermore, arbitrary code injected into the print service's memory space by other means could be executed. Versions of LPRng prior to 3.6.25 are affected by this vulnerability.

8/29/01
The second problem is not a vulnerability in LPRng itself, but instead is caused by insecure configuration of the DVI print filter. If the print filter calls the dvips program without the appropriate security option, it could be possible for a remote attacker to execute arbitrary commands by embedding the commands into a DVI document which is sent to the print service. This vulnerability can only be exploited if all of the following conditions exist:

  1. The DVI print filter is present. (It is usually called dvi-to-ps.fpi.)
  2. The dvips utility is present.
  3. The DVI print filter calls the dvips utility without the -R option. (The -R option prevents execution of embedded commands.)
Red Hat 7.0 and possibly other operating systems are affected by this vulnerability in their default configuration.

Resolution

If print service is not needed, disable lpd. Otherwise, the format string vulnerability can be fixed by upgrading to the latest version of LPRng. The insecure configuration in the DVI print filter can be fixed by changing the line:
dvips -f $DVIPS_OPTIONS < $TMP_FILE
to
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
in the file dvi-to-ps.fpi. This file is located in the /usr/lib/rhs/rhs-printfilters directory on Red Hat Linux systems but may be located elsewhere on other systems.

Where can I read more about this?

More information on the format string vulnerability is available from CERT Advisory 2000-22. The configuration problem in the DVI print filter was posted to Bugtraq.