A vulnerability in a program supplied with the Solaris printing system could allow a local attacker to gain elevated privileges on the system.
The Solaris operating system from Sun Microsystems includes a number of supplemental programs to aid in configuration and maintenance of the printing subsystem. One of these programs, /usr/lib/print/conv_fix (which is invoked from the /usr/lib/print/conv_lpd shell script), operates on files in an insecure manner. An attacker can create a file containing data of their choosing that would later be processed by conv_fix. The attacker can then cause their data to be written out to any file on the system if the conv_lpd script is executed as root.
An attacker with local access may be able to overwrite or create any file on the system if the conv_lpd program is run by root. Depending on which file was created or overwritten, this could allow the attacker to gain elevated privileges or a cause a denial-of-service against the system.
Apply a patch from the vendor
Patches have been released to address this issue. Please see the Systems Affected section of this document for more details.
Thanks to Sun Microsystems, Inc. for reporting this vulnerability.
This document was written by Chad R Dougherty.
|Date First Published:||2004-03-04|
|Date Last Updated:||2004-03-04 19:14 UTC|