Date: 13 May 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.15 AUSCERT Advisory
Solaris 2.x lp temporary files creation vulnerability
13 May 1997
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the lp
print service under Solaris 2.4, 2.5 and 2.5.1. Earlier versions of
Solaris may also be vulnerable.
This vulnerability may allow local users to gain lp privileges. This may be
leveraged to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
Solaris 2.x lp print service. The lp print service is used to print
files on local and remote printers.
This problem is known to be present in the lp print service distributed
with Solaris 2.4, 2.5 and 2.5.1. Earlier versions of Solaris may also
be vulnerable.
Due to a problem with insecure file creation, it is possible to force
the lp print service to create, or overwrite arbitrary files with the
privileges of the lp user. This may be leveraged to gain root
privileges.
Exploit information involving this vulnerability has been made publicly
available.
2. Impact
Local users may create arbitrary files as the lp user. This may be
leveraged to gain root access.
3. Workarounds/Solution
AUSCERT recommends that sites prevent the exploitation of this
vulnerability in the lp print service by immediately applying the
workaround given in Section 3.1.
Currently there are no vendor patches available that address this
vulnerability. AUSCERT recommends that official vendor patches be
installed when they are made available.
3.1 Modify lp configuration
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends applying the following steps:
1. su to root
2. Before continuing, all printing services must be stopped and the
printing queue emptied.
To reject any new jobs to the printing queue use the command:
# /usr/sbin/reject printer_queue
and wait until the printing queue is emptied.
To stop the print service use the command:
# /etc/init.d/lp stop
Print services stopped.
3. The file /etc/init.d/lp needs to be edited to set the umask for
this service to 022. Files created by lp printing service will
now inherit this umask and not be created as world writable.
Using your favorite editor, edit the file /etc/init.d/lp and
change the line
state=$1
to
umask 022
state=$1
4. The original log files may have been created with insecure
permission settings, therefore containing information that cannot
be trusted. Its best to rename or remove these files.
The files will be re-created by lp printing service with the
correct permissions after the printing service is re-started.
Before executing the following commands make sure that there are
no jobs pending on the queue.
# mv -i /var/lp/logs/lpNet /var/lp/logs/lpNet.previous
# mv -i /var/lp/logs/lpsched /var/lp/logs/lpsched.previous
# mv -i /var/lp/logs/requests /var/lp/logs/requests.previous
5. Change the default location of the temporary files to /var/lp/
# echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postio -
# echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postior -
6. Re-start printing services:
# /etc/init.d/lp start
Print services started.
7. If you used the command reject on step 2, use the following command
to allow printing queue to be re-enabled:
# /usr/sbin/accept printer_queue
- ---------------------------------------------------------------------------
AUSCERT thanks Sun Microsystems for their assistance in this matter.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM3nt+ih9+71yA2DNAQFslgP+IliYKNQHBIKn2hGHCC9oJ2+C5IypfE/R
qwtVinyo7xDCtdIMH09F9HkwPfJiIojGrIg8dBu+bB+mDggq40N6pr7c9yDdgTw4
rX9JMlpX5VgHZqSJrOtLUh5KBek51SiHNHttgfG7kI+udgIhAYTKpeNEPSo9KVrn
sOy57uNooRM=
=NiwL
-----END PGP SIGNATURE-----
|