Date: 02 July 2001
References: ESB-2001.374 ESB-2001.397 ESB-2001.461
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.268 -- CERT Advisory CA-2001-15
Buffer Overflow In Sun Solaris in.lpd Print Daemon
2 July 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: in.lpd Print Daemon
Vendor: Sun Microsystems
Operating System: Solaris 2.6
Solaris 7
Solaris 8
Platform: i386
Sparc
Impact: Root Compromise
Denial of Service
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-15 Buffer Overflow In Sun Solaris in.lpd Print Daemon
Original release date: June 29, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Solaris 2.6 for SPARC
* Solaris 2.6 x86
* Solaris 7 for SPARC
* Solaris 7 x86
* Solaris 8 for SPARC
* Solaris 8 x86
Overview
A buffer overflow exists in the Solaris BSD-style line printer daemon,
in.lpd, that may allow a remote intruder to execute arbitrary code
with the privileges of the running daemon. This daemon runs with root
privileges on all default installations of vulnerable Solaris systems
listed above.
I. Description
The Solaris in.lpd provides BSD-style services for remote users to
interact with a local printer, listening for remote requests on port
515/tcp (printer). There is an unchecked buffer in the part of the
code responsible for transferring print jobs from one machine to
another. If given too many jobs to work on at once, the printer daemon
may crash or allow arbitrary code to be executed with elevated
privileges on the victim system.
This problem was discovered by the ISS X-Force who have released an
advisory:
http://xforce.iss.net/alerts/advise80.php
The CERT/CC is releasing this advisory before patches are available to
alert a broader community of users to this serious problem. Sun has
suggested several steps system administrators can take in order to
mitigate the risk this vulnerability represents.
Sun recommends several workarounds which may be be applied to
vulnerable systems until production patches are available. These are
enumerated in the "III. Solution" section of this document.
Although the CERT/CC has not received any reports of this
vulnerability being successfully exploited, we do strongly encourage
all affected system adminsitrators to take one or more of the
recommended actions in "III. Solution." Such actions have proven
effective at minimizing the likelihood of being successfully attacked
using vulnerabilities similar to this one.
II. Impact
A remote intruder may be able to execute arbitrary code with the
privileges in the running daemon (typically root). In addition, a
remote intruder may be able to crash vulnerable printer daemons.
III. Solution
Implement a workaround
A number of different workaround strategies have been suggested for
dealing with this problem until patches become available:
* Disable the print service in /etc/inetd.conf if remote print job
handling is unnecessary; see the ISS X-Force advisory for
step-by-step details if needed
* Enable the noexec_user_stack tunable (although this does not
provide 100 percent protection against exploitation of this
vulnerability, it makes the likelihood of a successful exploit
much smaller). Add the following lines to the /etc/system file and
reboot:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
* Block access to network port 515/tcp (printer) at all appropriate
network perimeters
* Deploy tcpwrappers, also available in the tcpd-7.6 package at:
http://www.sun.com/solaris/freeware.html#cd
Apply patches when available
Sun is working on patches; they are not yet available. When ready,
they will be part of the jumbo lp patch set to be released in July
identified by the following ids:
* 106235-xx SunOS 5.6 for sparc
* 106236-xx SunOS 5.6 for x86
* 107115-xx SunOS 5.7 for sparc
* 107116-xx SunOS 5.7 for x86
* 109320-xx SunOS 5.8 for sparc
* 109321-xx SunOS 5.8 for x86
Note that the currently-available jumbo lp patches do not fix this
vulnerability. The in.lpd daemon was not shipped by Sun prior to
Solaris 2.6.
Appendix B. - References
1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0353
2. https://www.kb.cert.org/vuls/484011
3. http://xforce.iss.net/alerts/advise80.php
4. http://www.securityfocus.com/bid/2894
5. http://www.sun.com/security
6. http://www.sunfreeware.com/notes.html#tcp_wrappers
7. http://www.sun.com/solaris/freeware.html#cd
8. http://www.sun.com/software/solutions/blueprints/0601/jass_quick_start-v03.html
_________________________________________________________________
The CERT Coordination Center thanks Sun Microsystems for contributing
to the creation of this advisory.
_________________________________________________________________
This document was written by Jeffrey S. Havrilla. If you have feedback
concerning this document, please send email to:
mailto:cert@cert.org?Subject=[VU#484011]%20Feedback%20CA-2001-15
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-15.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Revision History
June 29, 2001: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBOz0FJwYcfu8gsZJZAQHccgP+NpQ2nCDdmtTOY33KO+Dowp0dq2P8fDU1
XKvdm6vL136JUWfRQ2gr531SDcTB1zODH4La+fynccmRNURbDaTzIeipLoopT9E+
pWPLDEnfDEqDieyhe2xGRS5S/Xs3np4orhAaFRo+iDR17wMuT/oNaY2p3DxrBNk2
XfOOp4C/zM4=
=9kyf
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO0CS0Sh9+71yA2DNAQG2NQQAkuDlvs2G1VWxbp9FiLe+9Cl3p6qPc5ND
avOJ+KT9twFNPdB0V7fH7kluN/US46kTyMF3Y3weGdYxqrgsq2f149Ehsu/oExhj
lhMPWoXfGOyfGn+LZQy7vjENzomSuM/yr/53BNuAirDFFvF9Aar80kisq5iwxQ10
hFXEZOL86xw=
=AwPi
-----END PGP SIGNATURE-----
|