|
|
AA-96.12 -- lpr buffer overrun vulnerability |
|
Date: 03 April 1998 Original URL: http://www.auscert.org.au/render.html?cid=1&it=1865 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.12 AUSCERT Advisory
lpr buffer overrun vulnerability
26 November 1996
Last Revised: 3 April 1998
Added vendor information for Silicon Graphics Inc.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the BSD
based printing software, lpr, available on a variety of Unix platforms.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made
publicly available.
AUSCERT recommends that sites take the steps outlined in section 3
as soon as possible.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
BSD based lpr printing package found on many Unix systems.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
lpr program while it is executing. This can allow an intruder to
cause lpr to execute arbitrary commands by supplying a carefully
designed argument to lpr. These commands will be run with the
privileges of the lpr program. When lpr is installed setuid or setgid,
it may allow intruders to gain those privileges.
When lpr is setuid root it may allow intruders to run arbitrary
commands with root privileges.
This vulnerability is currently known to affect versions of lpr
distributed with:
BSD/OS
FreeBSD 2.x
Linux
NeXT
SGI IRIX
Sun Microsystems (SunOS 4.1.3_U1 and SunOS 4.1.4)
More details may be found in Section 3.1. Other platforms using the
BSD based lpr systems, in which lpr is installed setuid or setgid,
may also be vulnerable.
This advisory will be updated as more information becomes available.
Note that the vulnerability described in this advisory is not present
in the LPRng printing package.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
The lpr printing package is available on many different systems.
As vendor patches are made available sites are encouraged to
install them (Section 3.1). Until vendor patches are available, AUSCERT
recommends that sites apply the workaround given in Section 3.2.
3.1 Install vendor patches
Specific vendor information has been placed in Appendix A. If the
BSD based lpr printing software is used and your vendor is not listed
in Appendix A, AUSCERT recommends that sites contact vendors directly
for more information.
If vendor patches are not currently available, vulnerable sites are
encouraged to apply the workaround given in Section 3.2.
3.2 Install wrapper
AUSCERT has developed a wrapper to help prevent programs from being
exploited using the vulnerability described in this advisory.
Information on how to obtain and install the wrapper is described in
Section 3.2.1.
AUSCERT recommends that until vendor patches can be installed, sites
apply this workaround.
3.2.1 Installing the wrapper
The source for the wrapper, including installation instructions, can
be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
overflow_wrapper.c
This wrapper replaces the lpr program and checks the length of the
command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without
executing the lpr command. The wrapper program can also be configured
to syslog any failed attempts to execute lpr with arguments exceeding
MAXARGLEN. For further instructions on using this wrapper, please
read the comments at the top of overflow_wrapper.c.
When compiling overflow_wrapper.c for use with lpr, AUSCERT
recommends defining MAXARGLEN to be 32.
The MD5 checksum for the current version of overflow_wrapper.c can be
retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
The CHECKSUM file has been digitally signed using the AUSCERT PGP key.
...........................................................................
Appendix A Vendor information
The following information regarding this vulnerability for specific vendor
versions of lpr has been made available to AUSCERT. For additional
information, sites should contact their vendors directly.
BSD/OS
- ------
BSD/OS 3.0 is not vulnerable to the problem.
BSDI have issued a patch which addresses this vulnerability under
BSD/OS 2.1. This patch is available from:
ftp://ftp.bsdi.com/pub/bsdi/patches/patches-2.1/U210-028
Digital Equipment Corporation
- -----------------------------
Digital Equipment Corporation
Software Security Response Team
Copyright (c) Digital Equipment Corporation 1997. All rights reserved.
This reported problem is not present for Digital's ULTRIX or
Digital UNIX Operating Systems Software.
- DIGITAL EQUIPMENT CORPORATION 06/19/97
FreeBSD
- -------
The FreeBSD security team have released an advisory describing this
vulnerability and patch information for FreeBSD 2.x. This advisory
(SA-96.18) is available from:
ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:18.lpr.asc
Patches can be found in the directory:
ftp://freebsd.org/pub/CERT/patches/SA-96:18
IBM Corporation
- ---------------
AIX is not vulnerable to the lpr buffer overflow. The version of lpr
shipped with AIX is not installed with the setuid bit turned on.
IBM and AIX are registered trademarks of International Business Machines
Corporation.
Linux
- -----
The Linux Emergency Response Team have released a Linux Security FAQ Update
which addresses this vulnerability. This Update contains information
regarding various Linux distributions. It is available from:
ftp://bach.cis.temple.edu/pub/Linux/Security/FAQ/updates/
Update-11-25-1996.vulnerability-lpr-0.06-v1.2
NeXT
- ----
The NeXT group has addressed the vulnerability described in this advisory
in release 4.2 of OpenStep/Mach.
Silicon Graphics Inc.
- --------------------
Silicon Graphics Inc. has released a security advisory addressing this
vulnerability including patch information. The original release of this
advisory can be retrieved from:
ftp://sgigate.sgi.com/security/19980402-01-PX
Sun Microsystems, Inc.
- ---------------------
All versions of Solaris are not affected. SunOS 4.1.3_U1 and SunOS 4.1.4
are vulnerable. Sun recommends that sites using SunOS 4.1.3_U1 and SunOS
4.1.4 apply the workaround provided
The Santa Cruz Operation, Inc. (SCO)
- ------------------------------------
SCO has determined that the following SCO operating systems
are not vulnerable:
- SCO CMW+ 3.0
- SCO Open Desktop/Open Server 3.0, SCO UNIX 3.2v4
- SCO OpenServer 5.0
- SCO UnixWare 2.1
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks Alexander O. Yuriev, the FreeBSD security team, IBM, and the
CERT/CC for their assistance in the production of this advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
3 April 1998 Added vendor information as Silicon Graphics Inc. has
released a security bulletin addressing this
vulnerability.
26 Jun 1996 Updated vendor information for Berkeley Software
Design, Inc.(BSDI). Added vendor information for Digital
Equipment Corporation, The Santa Cruz Operation (SCO) and
Sun Microsystems. This has been appended in Appendix A.
19 Jun 1997 Added vendor information for NeXT.
Replaced Appendix B by Section 3.2.1 which includes
information on how to obtain the latest version of the
overflow_wrapper program.
26 Nov 1996 Minor change to comments in lpr_wrapper program.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNSS5Sih9+71yA2DNAQGnEAP9EGcYcPo62M644EzqpZKD1JKjVpeZshBd
z/iRs4+aSDKedEOG5BRNh4EsAdm7ytvWlEE2qG56CqQKTNTq1jI6cYSi0v19e8ZM
KqTkE6f2vK/5b+bQUPNpIcLPxMP9WKlX8eV63Nqb5MyjbuQJdQoI/3gX/tHmcjng
igeoXa7lfTU=
=MNj2
-----END PGP SIGNATURE-----
|