LPD Vulnerability Issues

The following is in regards to a posting by Mr. Oliver Friedrichs of Secure Networks, Inc., on the topic of "BSD LPD vulnerabilities." Regrettably, neither the original posting nor the company's web site are online. For those who have heard of BSD LPD security vulnerabilities, and who are using or considering RPM Remote Print Manager, please note the following points:

1. RPM is not based on BSD LPD or any other source code; it is a completely fresh, new implementation of the LPD protocol. Certain known LPD vulnerabilities were taken into account during RPM's design and implementation.
2. RPM was not named in the paper as a program with security problems, nor should it be. Nonetheless, we would like to take this opportunity to point out RPM's security features.

The article mentions several problems, which are addressed in order.

Problem 1: File creation

Individuals with access to the line printer daemon from a privileged port on a valid print client can tell LPD to create a file, providing the name of the file, including directory names, is no longer than 5 characters.

RPM's solution

RPM creates a data file using its own internally assigned sequence number, not the name specified by the remote host.

Problem 2: File deletion

Individuals with access to the line printer daemon from a privileged port on a valid print client can tell LPD to remove any file on the system.

RPM's solution

RPM implements nearly all the commands specified in RFC 1179, but not the "U" command. Since RPM provides the ability to hold and manually release jobs, it removes files sent by the remote host when the job is complete, which may be some time later than the time the job was originally sent.

Problem 3: Remote execution

Individuals with access to the line printer daemon from a privileged port on a valid print client can execute commands remotely as the user which LPD is running as. This vulnerability can allow interactive shell access to the remote system.

A privileged port on a valid client system is required to exploit all of these vulnerabilities. A privileged port can be obtained on many operating systems by utilizing another vulnerability present in the file transfer protocol daemon (ftpd). This vulnerability is commonly known as the "FTP bounce" attack, and allows data to be sent to any internet address and port originating from the FTP data port (20).

RPM's solution

RPM does not execute commands specified by remote systems, or commands embedded in data files. Any command that RPM may execute is under full control of the PC user, not the remote user.

Other security issues

1. RPM can restrict access to hosts and groups of hosts, similar to the hosts.lpd found on some UNIX systems.
2. RPM can log print jobs by user name and host, providing a record of access to the system.

If you would like to discuss any security issues at all, or any other networking issues, please contact technical support.