SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#484011

Solaris Line Printer Daemon (in.lpd) vulnerable to buffer overflow via transfer job routine

Overview

A buffer overflow exists in the Solaris line printer daemon (in.lpd) that may allow a remote intruder to execute arbitrary code with the privileges of the running in.lpd. This daemon runs with root privileges by default on all recent versions of Solaris.

I. Description

The Solaris in.lpd provides services for remote users to interact with a local printer, listening for remote requests on port 515/tcp. There is an unchecked buffer in the part of the code responsible for transferring print jobs from one machine to another. If given too many jobs to work on at once, an attacker can either crash the printer daemon or attempt to execute arbitrary code with super user privileges on the victim system.

This problem was discovered by ISS X-Force and posted here on June 19, 2001.

Vulnerable versions of Solaris are as follows:

    Solaris 2.6
    Solaris 2.6 x86
    Solaris 7
    Solaris 7 x86
    Solaris 8
    Solaris 8 x86
Sun recommends the following workarounds until the patches identified below may be applied:
  • Disable the print service in /etc/inetd.conf
  • Enable the noexec_user_stack tunable
  • Block access to 515/tcp (printer) at all appropriate network perimeters

II. Impact

A remote intruder may be able to execute arbitrary code with the privileges in the running daemon (typically root). In addition, a remote intruder may be able to crash vulnerable printer daemons.

III. Solution

Patches have been released by Sun. They are part of a jumbo lp patch set identified by the following ids, per Sun Security Bulletin #206:

    The following patches are available in relation to the above problem.

        OS Version               Patch ID
       __________               _________
       SunOS 5.8                109320-04
       SunOS 5.8_x86            109321-04
       SunOS 5.7                107115-09
       SunOS 5.7_x86            107116-09
       SunOS 5.6                106235-09
       SunOS 5.6_x86            106236-09

The in.lpd daemon was not available prior to Solaris 2.6.

These patches resolve Sun problem report 4446925 *in.lpd* contains a remote exploitable overflow.

Workarounds


  • Disable the print service in /etc/inetd.conf
  • Enable the noexec_user_stack tunable
  • Block access to 515/tcp (printer) at all appropriate network perimeters

Systems Affected
VendorStatusDate NotifiedDate Updated
SunVulnerable31-Aug-2001

References

https://www.kb.cert.org/vuls/484011
(X-Force Advisory 80, http://xforce.iss.net/alerts/advise80.php)
http://www.securityfocus.com/bid/2894
http://www.sun.com/security
http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl

Credit

The X-Force team of Internet Security Systems, Inc. has released an advisory about this issue.

This document was written by Jeffrey S. Havrilla

Other Information

Date Public:2001-06-19
Date First Published:2001-06-21
Date Last Updated:2001-08-31
CERT Advisory:CA-2001-15
CVE-ID(s):CAN-2001-0353
NVD-ID(s):CAN-2001-0353
US-CERT Technical Alerts: 
Severity Metric:56.43
Document Revision:11

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader