SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   teTeX Vendors:   [Multiple Authors/Vendors]
teTex-dvips DVI-to-PostScript Translator May Let Remote Users Execute Commands on the Printer Server and Start a Worm
SecurityTracker Alert ID:  1002285
SecurityTracker URL:  http://securitytracker.com/id/1002285
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in teTex-dvips, a DVI-to-PostScript Translator. The security hole allows a remote user to execute commands and start a worm if the server running the printer daemon (lpd) is in a certain configuration.

It is reported that if the lpd printer daemon is configured to listen on 0.0.0.0 and no access controls are configured, a remote user can executed commands with the privileges of the lp user.

If the dvips -R secure mode command line switch is not used, then certain '\' commands may be executed when a PostScript file is being converted to a DVI file.

The following demonstration exploit transcript reportedly does not start a worm but does stall the printer:

cat >proof-of-concept.tex <<EOF
\special{psfile="`touch /tmp/lpowned"}
\end
EOF
tex proof-of-concept
lpr proof-of-concept.dvi

Impact:   A remote user can execute commands on the printer server with the privileges of the lp user.
Solution:   No vendor solution was available at the time of this entry. The author of the report suggested a workaround:

In the file /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi, make the following changes:

change from:

...
dvips -f $DVIPS_OPTIONS < $TMP_FILE
...

change to:

...
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
...

Vendor URL:  www.tug.org/teTeX/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  tested on RedHat 7.0

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) teTex-dvips DVI-to-PostScript Translator May Let Remote Users Execute Commands on the Printer Server and Start a Worm
The vendor has released a fix.
(Mandrake Issues Fix) teTex-dvips DVI-to-PostScript Translator May Let Remote Users Execute Commands on the Printer Server and Start a Worm
The vendor has released a fix.



 Source Message Contents

Subject:  LPRng/rhs-printfilters - remote execution of commands


(posted to vendor security ppl, no reply, no patch, so posting here.)
--begin forwarded message--

RedHat 7.0 (possibly others)

If the lpd is listening on 0.0.0.0 and no access controls are in place, it
is possible to execute commands as the lp user, assuming tetex-dvips is
installed.

>From man dvips
...
       -R     Run in secure mode. This  means  that  ``backtick''
              commands  from  a \special{} or \psffile{} macro in
              the  (La)TeX  source  like   \special{psfile="`zcat
              foo.ps.Z"}   or   \psffile[72  72  540  720]{"`zcat
              screendump.ps.gz"} are not executed.
...

Unless the -R option is passed, the attached file will, when converted to
a .dvi file (tex spool.tex), start a worm. A very primitive, proof of
concept worm, with no payload, but it does stall the printer.
(So don't run it without at least modifying it to do something else.)

/usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
...
dvips -f $DVIPS_OPTIONS < $TMP_FILE
...

change it to
...
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
...

and it should be a little safer.

-- zen-parse

--end forwarded message--

I deleted the worm file before posting this to BugTraq. It's 2 lines of
bash, but not really the kind of thing that is helpful to post here.

-rw-r--r--    1 evil     evil          152 Aug 16 16:37 spool.tex

Instead, use this to test your machine.

cat >proof-of-concept.tex <<EOF
\special{psfile="`touch /tmp/lpowned"}
\end
EOF
tex proof-of-concept
lpr proof-of-concept.dvi

-- zen-parse

             [ mp3.com/cosv  -  new music added this month ]
             [ ============ ] [ ========================== ]
-- 
-------------------------------------------------------------------------
The preceding information, unless directly posted by zen-parse@gmx.net to
an open forum is confidential information and not to be distributed
(without explicit permission being given by zen-parse@gmx.net). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC