Announcement Announcement Module
No announcement yet.
Linux LPD vulnerability (The Quadruple Inverted Backflip vulnerability) Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux LPD vulnerability (The Quadruple Inverted Backflip vulnerability)

    The print process is controlled by a process called lpd. The Quadruple Inverted Backflip vulnerability could allow any remote user to gain access to the system with the privileges of user
    bin. By this access, it is often trivial to gain root access. Thus, a remote user could execute
    arbitrary code on a properly configured print server.
    The problems being exploited here are four-fold.

    • LPD allows remote machines to print files without having access to LPD, because LPD
    compares the reversed-resolved peer name of the accepted socket’s address, with the
    gethostname () name returned by the machine, and if they’re the same, grants access
    without any query. Hence, if you’re the master of your own DNS, simply make your IP
    address reverse-resolve to the same hostname as the LPD server, and you have access to

    •LPD allows you to send as many data files to the printer spooler directory as you want.
    These files can be binaries, text, or otherwise.

    •LPD allows you to specify anything you want in the ‘control file’ (often named
    cfBLAHBLAHBLAHBLAH in /var/spool/lpd/<printer>/ ), even host names and other
    things that don’t exist.

    LPD allows you to specify an argument to /usr/sbin/sendmail and execute it. This is done
    by specifying that LPD should send mail back to the print job owner when the print job is
    completed (‘M’ in the cf file). However, the sendmail argument in the LPD c.f. file
    doesn’t have to be an email address, it can be a sendmail option, such as ‘-

    So, we have the unfortunate result that one can send several data files to print, including a
    disguised sendmail configuration file, after which a cf file is sent along, requesting that sendmail
    be invoked with the configuration file that is sent over.

    Systems affected and Fix: RedHat Linux 4.x, 5.x, and 6.x. If print service is not needed, disable
    lpd. Otherwise, the vulnerability can be fixed by applying the appropriate patch by downloading
    the fix