copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » ESB-2003.0246 -- NSFOCUS Security Advisory(SA2003-02...
 

ESB-2003.0246 -- NSFOCUS Security Advisory(SA2003-02) -- Solaris lpq Stack Buffer Overflow Vulnerability
Date: 03 April 2003

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2003.0246 -- NSFOCUS Security Advisory(SA2003-02)
              Solaris lpq Stack Buffer Overflow Vulnerability
                               03 April 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                lpq
Vendor:                 Sun Microsystems
Operating System:       Sun Solaris 7
                        Sun Solaris 2.6
                        Sun Solaris 2.5.1
Impact:                 Root Compromise
Access Required:        Existing Account
CVE Names:              CAN-2003-0091

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2003-02)

Topic: Solaris lpq Stack Buffer Overflow Vulnerability

Release Date: 2003-3-31 

CVE CAN ID: CAN-2003-0091

Affected system:
===================

Sun Solaris 2.5.1 (SPARC/x86)
Sun Solaris 2.6 (SPARC/x86)
Sun Solaris 7   (SPARC/x86)
                                                               
Summary:
=========

NSFOCUS Security Team has found a buffer overflow vulnerability in lpq, an 
application in Sun Solaris system. Exploiting the vulnerability local 
attackers could gain root privilege.  

Description:
============

lpq, which is used to display the contents in printing queue, is a command 
in SunOS/BSD compatible package.By default suid root bit is set to it. 
Because valid bound check has not been implemented when handling the data 
provided by users, attackers could cause a fixed stack buffer to overflow.
By carefully crafting overflow data attackers could run arbitrary code with 
root privilege. 

Actually /usr/ucb/lpq is a symbol link to /usr/bin/lpstat. lpstat will 
operate according to the program names during the calling. If "lpq", it will
operate in BSD style, or it will operate in System V style. The bsd_queue()
function in lpq will call strcat() to copy the data provided by users to a 
buffer the size of which is fixed. Because the length of the copied data has
not been checked, if an attacker provides a over-long string, he/she will
cause a stack buffer overflow. By overwriting the returning addresses and other
data in the stack, local attackers could gain root privilege. 

Solaris 8/9 uses strlcat() to implement string copy, so it avoids buffer
overflow and therefore is not vulnerable to the issue.  

Workaround:
=============

 NSFOCUS suggests to disable suid root attribute of lpstat(lpq) temporarily:
 # chmod a-s /usr/bin/lpstat

Vendor Status:
==============

2002-12-11  Informed the vendor.
2002-12-13  The vendor confirmed the vulnerability. 
2003-03-31  The vendor released a Sun Alert and patches for this issue. 

The Sun Alert is available at:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/52443

The patches are:

Solaris 2.6     106235-12
Solaris 2.6_x86 106236-12
Solaris 7       107115-12
Solaris 7_x86   107116-12


Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2003-0091 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security 
problems. Candidates may change significantly before they become official 
CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE  1B90 D7BF 7877 C6A6 F6DA

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+iBNs1794d8am9toRArQpAKCPmoXrsyInS1pQgfYTuYtkR2XvswCfTjvL
VAzI4QN1JWJvITsvlI5heA8=
=erIs
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPoxxHyh9+71yA2DNAQGygwQAgzJ+VwFVWyl3KdmFBmszV9FBhhcBAV87
M3GJG+DcDySy9v6PBPPq17MxbgAVWhF9ZEcKSl2WcGuGFbN8f7B4clJzYDLvReQH
wtGcQX6uqlhKHxCbhXqJDHWz3a8/rYYtqrHTSRYHbNQlJowipuwnjtC1K24TIQ/y
RMLs0WfsJzs=
=yWbY
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=2935