Vulnerability Note VU#274043
BSD Line Printer Daemon vulnerable to buffer overflow via crafted print request
Overview
The line printer daemon enables various clients to share printers over a network. There exists a buffer overflow vulnerability in this daemon that permits remote execution of arbitrary commands with elevated privileges.
Description
There is a buffer overflow in several implementations of in.lpd, a BSD line printer daemon. An intruder can send a specially crafted print job to the target and then request a display of the print queue to trigger the buffer overflow. The intruder may be able use this overflow to execute arbitrary commands on the system with superuser privileges. The line printer daemon must be enabled and configured properly in order for an intruder to exploit this vulnerability. This is, however, trivial as the line printer daemon is commonly enabled to provide printing functionality. In order to exploit the buffer overflow, the intruder must launch his attack from a system that is listed in the "/etc/hosts.equiv" or "/etc/hosts.lpd" file of the target system. |
Impact
An intruder can remotely execute arbitrary commands on the system with the privileges of the line printer daemon, usually root or a superuser. |
Solution
Apply a patch, if available, from your vendor. |
Disable the line printer daemon if there is not a patch available from your vendor. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| BSDI | Affected | - | 06 Sep 2001 |
| FreeBSD | Affected | - | 06 Sep 2001 |
| NETBSD | Affected | - | 30 Nov 2001 |
| OpenBSD | Affected | - | 06 Sep 2001 |
| Red Hat | Affected | - | 08 Nov 2001 |
| SCO | Affected | - | 01 Nov 2001 |
| SGI | Affected | - | 01 Nov 2001 |
| SuSE | Affected | - | 01 Nov 2001 |
| Caldera | Not Affected | 04 Sep 2001 | 01 Nov 2001 |
| Engarde | Not Affected | - | 01 Nov 2001 |
| Fujitsu | Not Affected | - | 01 Nov 2001 |
| IBM | Not Affected | 04 Sep 2001 | 01 Nov 2001 |
| Sun | Not Affected | - | 02 Oct 2001 |
| Apple | Unknown | - | 09 Nov 2001 |
| Compaq Computer Corporation | Unknown | - | 05 Nov 2001 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- VU#966075
- http://xforce.iss.net/alerts/advise94.php
- http://www.securityfocus.com/bid/3252
- http://www.BSDI.COM/services/support/patches/patches-4.1/M410-044
- http://www.openbsd.com/errata.html
- http://www.netbsd.org/security
- http://www.freebsd.org/security
Credit
This vulnerability was discovered and researched by Mark Dowd of Internet Security Systems (ISS). The CERT/CC wishes to thank ISS for the information contained in their advisory.
This document was written by Jason Rafail.
Other Information
- CVE IDs: CAN-2001-0670
- Date Public: 28 Aug 2001
- Date First Published: 03 Oct 2001
- Date Last Updated: 30 Nov 2001
- Severity Metric: 32.22
- Document Revision: 12
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.