search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Solaris conv_fix insecure file handling vulnerability

Vulnerability Note VU#412566

Original Release Date: 2004-03-04 | Last Revised: 2004-03-04

Overview

A vulnerability in a program supplied with the Solaris printing system could allow a local attacker to gain elevated privileges on the system.

Description

The Solaris operating system from Sun Microsystems includes a number of supplemental programs to aid in configuration and maintenance of the printing subsystem. One of these programs, /usr/lib/print/conv_fix (which is invoked from the /usr/lib/print/conv_lpd shell script), operates on files in an insecure manner. An attacker can create a file containing data of their choosing that would later be processed by conv_fix. The attacker can then cause their data to be written out to any file on the system if the conv_lpd script is executed as root.

Impact

An attacker with local access may be able to overwrite or create any file on the system if the conv_lpd program is run by root. Depending on which file was created or overwritten, this could allow the attacker to gain elevated privileges or a cause a denial-of-service against the system.

Solution

Apply a patch from the vendor

Patches have been released to address this issue. Please see the Systems Affected section of this document for more details.

Vendor Information

412566
 
Affected   Unknown   Unaffected

Sun Microsystems Inc.

Updated:  March 04, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems, Inc. has published Sun Security Alert 57509 in response to this issue. Users are encouraged to review this alert and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Sun Microsystems, Inc. for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: None
Severity Metric: 0.96
Date Public: 2004-02-26
Date First Published: 2004-03-04
Date Last Updated: 2004-03-04 19:14 UTC
Document Revision: 9

Sponsored by CISA.