|
|
HP-UX rlpdaemon Vulnerability
A number of vulnerabilities exist in Hewlett Packard's rlpdaemon under HPUX 9.x and 10.x. These vulnerabilities may allow for a remote attacker to access the system under the lp user account, as well as execute arbitrary commands remotely, also as user lp. There are three vulnerabilities: (culled from RSI Advisory RSI.0006.06-25-98.HP-UX.RLPDAEMON) #1: The argument in the Unlink Data File section of the control file gets passed to /bin/rm by a system () call. This argument should normally be a filename, however, a semi-colon and an arbitrary command can be appended allowing you to execute commands as user lp. #2: When the client passes a file to the rlpdaemon, no sanity checks are performed to ensure the validity of the filename. This allows for a remote attacker to send any file s/he wants and have it stored in the user lp's home directory. #3: The rlpdaemon will allow remote connections from any source port. This violates the lpd behavior recommended in RFC-1179 which explicitly states that only source ports of 721-731 should be allowed to access the daemon. |
|
Privacy Statement |