Original release date: June 29, 2001<BR>
Last revised: August 31, 2001<BR>
Source: CERT/CC<BR>
<P>A complete revision history can be found at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<UL>
<li>Solaris 2.6 for SPARC
<li>Solaris 2.6 x86
<li>Solaris 7 for SPARC
<li>Solaris 7 x86
<li>Solaris 8 for SPARC
<li>Solaris 8 x86
</UL>
<A NAME="overview">
<H2>Overview</H2>
<P>A buffer overflow exists in the <A
HREF="http://www.sun.com/software/solaris/">Solaris</A> BSD-style line
printer daemon, <i>in.lpd</i>, that may allow a remote intruder to
execute arbitrary code with the privileges of the running daemon. This
daemon runs with root privileges on all default installations of
vulnerable Solaris systems listed above.
<A NAME="description">
<H2>I. Description</H2>
<P>
The <A HREF="http://www.sun.com/software/solaris/">Solaris</A>
<i>in.lpd</i> provides BSD-style services for remote users to interact
with a local printer, listening for remote requests on port 515/tcp
(printer). There is an unchecked buffer in the part of the code
responsible for transferring print jobs from one machine to
another. If given too many jobs to work on at once, the printer daemon
may crash or allow arbitrary code to be executed with elevated
privileges on the victim system.
<P>
This problem was discovered by the <A HREF="http://xforce.iss.net/">ISS
X-Force</A> who have released an advisory:
<DL><DD>
<A HREF="http://xforce.iss.net/alerts/advise80.php">http://xforce.iss.net/alerts/advise80.php</A>
</DL>
</P>
<P>
Although the CERT/CC has not received any reports of this
vulnerability being successfully exploited, we do strongly encourage
all affected system adminsitrators to take one or more of the
recommended actions in <a href="solution">III. Solution</a>. Such
actions have proven effective at minimizing the likelihood of being
successfully attacked using vulnerabilities similar to this one.
</P>
<A NAME="impact">
<H2>II. Impact</H2>
<P>
A remote intruder may be able to execute arbitrary code with the
privileges in the running daemon (typically root). In addition, a
remote intruder may be able to crash vulnerable printer daemons.
<A NAME="solution">
<H2>III. Solution</H2>
<H3>Apply patches as soon as possible</H3>
<P>Patches have been released by Sun. They are part of a jumbo lp patch set identified by the following ids, per Sun Security Bulletin #206:
<FONT FACE="monospace">
<PRE>
The following patches are available in relation to the above problem.
OS Version Patch ID
__________ _________
SunOS 5.8 109320-04
SunOS 5.8_x86 109321-04
SunOS 5.7 107115-09
SunOS 5.7_x86 107116-09
SunOS 5.6 106235-09
SunOS 5.6_x86 106236-09
</PRE>
</FONT>
Patches listed here are available at:
<br>
<DL><DD>
<a href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch</a>
</DL>
</P>
<P>
The <i>in.lpd</i> daemon was not available prior to Solaris 2.6.
<P>
These patches resolve Sun problem report 4446925 *in.lpd* contains a
remote exploitable overflow.
<P>
The complete signed text of Sun Security Bulletin #206 may be found at:
<BR>
<DL><DD>
<a href="https://www.kb.cert.org/vuls/id/JSHA-4XWSD9">Sun Information for VU#484011</a>
</DL>
<H3>Implement a workaround</H3>
<P>
A number of different workaround strategies have been suggested for dealing with this problem until patches can be applied:
<UL>
<LI>Disable the print service in <i>/etc/inetd.conf</i> if remote print job handling is unnecessary; see the <a href="http://xforce.iss.net/alerts/advise80.php">ISS X-Force advisory</a> for step-by-step details if needed
<LI>Enable the <b>noexec_user_stack</b> tunable (although this does
not provide 100 percent protection against exploitation of this
vulnerability, it makes the likelihood of a successful exploit much
smaller). Add the following lines to the <i>/etc/system</i> file and
reboot:
<FONT FACE="monospace">
<PRE>
set noexec_user_stack = 1
set noexec_user_stack_log = 1
</PRE></FONT>
<LI>Block access to network port 515/tcp (printer) at all appropriate network perimeters
<LI>Deploy <a href="http://www.sunfreeware.com/notes.html#tcp_wrappers">tcpwrappers</a>, also available in the <b>tcpd-7.6</b> package at:
<BR>
<DL><DD>
<a href="http://www.sun.com/solaris/freeware.html#cd">http://www.sun.com/solaris/freeware.html#cd</a>
</DL>
</UL>
</P>
<A NAME="references"><H2>Appendix B. - References</H2></A>
<BR>
<ol>
<li>CVE Name: <A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0353">CAN-2001-0353</a>
<li><a href="https://www.kb.cert.org/vuls/id/484011">https://www.kb.cert.org/vuls/id/484011</a><BR>
<li><a href="http://xforce.iss.net/alerts/advise80.php">http://xforce.iss.net/alerts/advise80.php</a><BR>
<li><a href="http://www.securityfocus.com/bid/2894">http://www.securityfocus.com/bid/2894</a><BR>
<li><a href="http://www.sun.com/security">http://www.sun.com/security</a>
<li><a href="http://www.sunfreeware.com/notes.html#tcp_wrappers">http://www.sunfreeware.com/notes.html#tcp_wrappers</a>
<li><a href="http://www.sun.com/solaris/freeware.html#cd">http://www.sun.com/solaris/freeware.html#cd</a>
<li><a href="http://www.sun.com/software/solutions/blueprints/0601/jass_quick_start-v03.html">http://www.sun.com/software/solutions/blueprints/0601/jass_quick_start-v03.html</a>
<li><a href="http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl">Sun Security Bulletin Archive</a>
</ol>
<HR NOSHADE>
<P>
The CERT Coordination Center thanks Sun Microsystems for contributing
to the creation of this advisory.
</P>
<HR NOSHADE>
<P>This document was written by Jeffrey S. Havrilla. If you have
feedback concerning this document, please send email to:
<DL><DD>
<a href="mailto:cert@cert.org?Subject=[VU%23484011]%20Feedback%20CA-2001-15">mailto:cert@cert.org?Subject=[VU#484011] Feedback CA-2001-15</a>
</DL>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2001 Carnegie Mellon University.</P>
<P>Revision History
<PRE>
Jun 29, 2001: Initial release
Jul 02, 2001: Fixed broken link to vulnerability note
Aug 31, 2001: Updated with patch information from Sun Security Bulletin #206
</PRE>
|