Vulnerability Note VU#39001

lpd allows options to be passed to sendmail

Overview

The line printer daemon enables various clients to share printers over a network. There exists a vulnerability in this daemon that permits an intruder to send options to sendmail.

I. Description

The line printer daemon enables various clients to share printers over a network. There exists a vulnerability in this daemon that permits an intruder to send options to sendmail. These options could be used to specify another configuration file allowing an intruder to gain root access.

II. Impact

An intruder may be able to gain root access. In conjunction with another vulnerability (e.g., VU#30308), this can be exploited from hosts not normally authorized to use the lpd service.

III. Solution

Apply the patches, if available, from your vendor.

Systems Affected

Vendor	Status	Date Notified
Apple Computer Inc.	Unknown	9-Nov-2001
Caldera	Not Vulnerable	30-Oct-2001
Compaq Computer Corporation	Unknown	5-Nov-2001
Cray Inc.	Not Vulnerable	30-Oct-2001
Debian	Vulnerable	4-Oct-2001
Engarde	Not Vulnerable	30-Oct-2001
FreeBSD	Not Vulnerable	5-Nov-2001
Fujitsu	Not Vulnerable	31-Oct-2001
IBM	Not Vulnerable	30-Oct-2001
MandrakeSoft	Vulnerable	30-Oct-2001
Red Hat Inc.	Vulnerable	4-Oct-2001
Sun Microsystems Inc.	Vulnerable	31-Jul-2002

References

http://www.kb.cert.org/vuls/id/30308
http://www.atstake.com/research/advisories/2000/lpd_advisory.txt
http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html
http://www.debian.org/security/2000/20000109

Credit

The CERT/CC would like to thank @Stake, Red Hat and Debian for the information provided in their security advisories.

This document was written by Jason Rafail.

Other Information

Date Public:	2000-01-08
Date First Published:	2001-10-16
Date Last Updated:	2001-11-09
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	14.06
Document Revision:	13

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader