copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AA-96.12 -- lpr buffer overrun vulnerability
AA-96.12 -- lpr buffer overrun vulnerability
Date:
03 April 1998
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-96.12 AUSCERT Advisory lpr buffer overrun vulnerability 26 November 1996 Last Revised: 3 April 1998 Added vendor information for Silicon Graphics Inc. A complete revision history is at the end of this file. - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the BSD based printing software, lpr, available on a variety of Unix platforms. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the BSD based lpr printing package found on many Unix systems. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges. When lpr is setuid root it may allow intruders to run arbitrary commands with root privileges. This vulnerability is currently known to affect versions of lpr distributed with: BSD/OS FreeBSD 2.x Linux NeXT SGI IRIX Sun Microsystems (SunOS 4.1.3_U1 and SunOS 4.1.4) More details may be found in Section 3.1. Other platforms using the BSD based lpr systems, in which lpr is installed setuid or setgid, may also be vulnerable. This advisory will be updated as more information becomes available. Note that the vulnerability described in this advisory is not present in the LPRng printing package. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution The lpr printing package is available on many different systems. As vendor patches are made available sites are encouraged to install them (Section 3.1). Until vendor patches are available, AUSCERT recommends that sites apply the workaround given in Section 3.2. 3.1 Install vendor patches Specific vendor information has been placed in Appendix A. If the BSD based lpr printing software is used and your vendor is not listed in Appendix A, AUSCERT recommends that sites contact vendors directly for more information. If vendor patches are not currently available, vulnerable sites are encouraged to apply the workaround given in Section 3.2. 3.2 Install wrapper AUSCERT has developed a wrapper to help prevent programs from being exploited using the vulnerability described in this advisory. Information on how to obtain and install the wrapper is described in Section 3.2.1. AUSCERT recommends that until vendor patches can be installed, sites apply this workaround. 3.2.1 Installing the wrapper The source for the wrapper, including installation instructions, can be found at: ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/ overflow_wrapper.c This wrapper replaces the lpr program and checks the length of the command line arguments which are passed to it. If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the lpr command. The wrapper program can also be configured to syslog any failed attempts to execute lpr with arguments exceeding MAXARGLEN. For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with lpr, AUSCERT recommends defining MAXARGLEN to be 32. The MD5 checksum for the current version of overflow_wrapper.c can be retrieved from: ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM The CHECKSUM file has been digitally signed using the AUSCERT PGP key. ........................................................................... Appendix A Vendor information The following information regarding this vulnerability for specific vendor versions of lpr has been made available to AUSCERT. For additional information, sites should contact their vendors directly. BSD/OS - ------ BSD/OS 3.0 is not vulnerable to the problem. BSDI have issued a patch which addresses this vulnerability under BSD/OS 2.1. This patch is available from: ftp://ftp.bsdi.com/pub/bsdi/patches/patches-2.1/U210-028 Digital Equipment Corporation - ----------------------------- Digital Equipment Corporation Software Security Response Team Copyright (c) Digital Equipment Corporation 1997. All rights reserved. This reported problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software. - DIGITAL EQUIPMENT CORPORATION 06/19/97 FreeBSD - ------- The FreeBSD security team have released an advisory describing this vulnerability and patch information for FreeBSD 2.x. This advisory (SA-96.18) is available from: ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:18.lpr.asc Patches can be found in the directory: ftp://freebsd.org/pub/CERT/patches/SA-96:18 IBM Corporation - --------------- AIX is not vulnerable to the lpr buffer overflow. The version of lpr shipped with AIX is not installed with the setuid bit turned on. IBM and AIX are registered trademarks of International Business Machines Corporation. Linux - ----- The Linux Emergency Response Team have released a Linux Security FAQ Update which addresses this vulnerability. This Update contains information regarding various Linux distributions. It is available from: ftp://bach.cis.temple.edu/pub/Linux/Security/FAQ/updates/ Update-11-25-1996.vulnerability-lpr-0.06-v1.2 NeXT - ---- The NeXT group has addressed the vulnerability described in this advisory in release 4.2 of OpenStep/Mach. Silicon Graphics Inc. - -------------------- Silicon Graphics Inc. has released a security advisory addressing this vulnerability including patch information. The original release of this advisory can be retrieved from: ftp://sgigate.sgi.com/security/19980402-01-PX Sun Microsystems, Inc. - --------------------- All versions of Solaris are not affected. SunOS 4.1.3_U1 and SunOS 4.1.4 are vulnerable. Sun recommends that sites using SunOS 4.1.3_U1 and SunOS 4.1.4 apply the workaround provided The Santa Cruz Operation, Inc. (SCO) - ------------------------------------ SCO has determined that the following SCO operating systems are not vulnerable: - SCO CMW+ 3.0 - SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4 - SCO OpenServer 5.0 - SCO UnixWare 2.1 ........................................................................... - --------------------------------------------------------------------------- AUSCERT thanks Alexander O. Yuriev, the FreeBSD security team, IBM, and the CERT/CC for their assistance in the production of this advisory. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 3 April 1998 Added vendor information as Silicon Graphics Inc. has released a security bulletin addressing this vulnerability. 26 Jun 1996 Updated vendor information for Berkeley Software Design, Inc.(BSDI). Added vendor information for Digital Equipment Corporation, The Santa Cruz Operation (SCO) and Sun Microsystems. This has been appended in Appendix A. 19 Jun 1997 Added vendor information for NeXT. Replaced Appendix B by Section 3.2.1 which includes information on how to obtain the latest version of the overflow_wrapper program. 26 Nov 1996 Minor change to comments in lpr_wrapper program. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBNSS5Sih9+71yA2DNAQGnEAP9EGcYcPo62M644EzqpZKD1JKjVpeZshBd z/iRs4+aSDKedEOG5BRNh4EsAdm7ytvWlEE2qG56CqQKTNTq1jI6cYSi0v19e8ZM KqTkE6f2vK/5b+bQUPNpIcLPxMP9WKlX8eV63Nqb5MyjbuQJdQoI/3gX/tHmcjng igeoXa7lfTU= =MNj2 -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1865