SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   in.lpd Vendors:   [Multiple Authors/Vendors]
(NetBSD Issues Fix) BSD Line Printer Daemon Buffer Overflow Lets Remote Users Execute Arbitrary Code and Gain Root Level Access to the System
SecurityTracker Alert ID:  1002807
SecurityTracker URL:  http://securitytracker.com/id/1002807
CVE Reference:   CVE-2001-0670   (Links to External Site)
Date:  Nov 22 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OpenBSD CURRENT and earlier, FreeBSD 4.3 and earlier, NetBSD 1.5.1 and earlier, BSD/OS 4.1 and earlier
Description:   Internet Security Systems announced a vulnerability in the BSD Line Printer daemon ('in.lpd') that allows remote users to trigger a buffer overflow and execute arbitrary code on the server with root level privileges. This affects BSD/OS, NetBSD, FreeBSD, and OpenBSD.

A remote user can submit a specially crafted, incomplete print job and then can request a display of the printer queue to trigger a buffer overflow. It is reported that the code that parses the first request (the incomplete print job) contains a static buffer overflow. This allows a remote user to execute arbitrary code with root level privileges, thereby gaining root level access on the server.

It is reported that FreeBSD and OpenBSD do not enable in.lpd by default and that BSD/OS enables in.pld by defaut but with with an empty configuration file. As a result, those platforms are not vulnerable in the default configuration.

It is reported that the remote user must initiate an attack from a host that is listed in the "/etc/hosts.equiv" or "/etc/hosts.lpd" file of the target host.

Impact:   A remote user can execute arbitrary code on the server with root level privileges and can gain root level access to the system.
Solution:   The vendor has released a fix. The vendor reports that NetBSD 1.3 and later install with lpd disabled by default and that a NetBSD system is vulnerable to this security hole only if it is running /usr/sbin/lpd and access to lpd is allowed by entries in /etc/hosts.lpd. If this is the case, the vendor recommends updating the binary.

The vendor has provided the following workaround:

"If you are running /usr/sbin/lpd, and you do not need it, stop it.
If you have /etc/hosts.lpd which is open to everyone, you will want to
tighten the setup so that no malicious parties can access your remote printer."


* NetBSD -current, 1.5, 1.5.1, 1.5.2:

For systems running NetBSD-current dated from before 2001-08-28, upgrade to NetBSD-current dated 2001-08-28 or later.

For systems running NetBSD 1.5, 1.5.1 or 1.5.2 dated from before 2001-09-30, upgrade to NetBSD-1.5 branch sources dated 2001-09-30 or later.

The following directory needs to be updated from the netbsd-current CVS branch (aka HEAD) for NetBSD-current, or netbsd-1-5 CVS branch for NetBSD 1.5, 1.5.1 or 1.5.2:

src/usr.sbin/lpr

To update from CVS, re-build, and re-install lpd(8):
# cd src/usr.sbin/lpr
# cvs update -d -P
# make cleandir dependall install


Alternatively, apply the following patch (with potential offset
differences) and rebuild & re-install lpd(8):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

To patch, re-build and re-install lpd(8):
# cd src/usr.sbin/lpr/common_sources
# patch < /path/to/SA2001-012-lpd.patch
# make cleandir dependall install

* NetBSD 1.4, 1.4.x:

For systems running NetBSD-1.4.x releases, apply the following patch (with potential offset differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

To patch, re-build and re-install lpd(8):
# cd src/usr.sbin/lpr/common_sources
# patch < /path/to/SA2001-012-lpd.patch
# make cleandir dependall install


The vendor reports that the anonymous CVS branch netbsd-1-4 should be updated with a fix in the near future.

Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 30 2001 BSD Line Printer Daemon Buffer Overflow Lets Remote Users Execute Arbitrary Code and Gain Root Level Access to the System



 Source Message Contents

Subject:  NetBSD Security Advisory 2001-018 Remote Buffer Overflow Vulnerability in LPD



-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-018
                 =================================

Topic:		Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon

Version:	NetBSD-current: prior to August 28, 2001
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected

Severity:	Remote root compromise from any host which can connect to lpd(8)

Fixed:		NetBSD-current:		August 28, 2001
		NetBSD-1.5 branch:	September 30, 2001
		NetBSD-1.4 branch: 	not yet

Abstract
========

There is an remotely exploitable buffer overrun in the printer daemon,
/usr/sbin/lpd.


Technical Details
=================

http://msgs.securepoint.com/cgi-bin/get/bugtraq0108/259.html


Solutions and Workarounds
=========================

NetBSD 1.3 and later install with lpd disabled by default.  A system is
vulnerable to this security hole only if it is running /usr/sbin/lpd,
and access to lpd is allowed by entries in /etc/hosts.lpd.  Updating
the binary for safety is recommended.

Quick workaround:
If you are running /usr/sbin/lpd, and you do not need it, stop it.
If you have /etc/hosts.lpd which is open to everyone, you will want to
tighten the setup so that no malicious parties can access your remote printer.

Solutions:

* NetBSD -current, 1.5, 1.5.1, 1.5.2:

	Systems running NetBSD-current dated from before 2001-08-28
	should be upgraded to NetBSD-current dated 2001-08-28 or later.

	Systems running NetBSD 1.5, 1.5.1 or 1.5.2 dated from before
	2001-09-30 should be upgraded to NetBSD-1.5 branch sources dated
	2001-09-30 or later.

	The following directory needs to be updated from the
	netbsd-current CVS branch (aka HEAD) for NetBSD-current,
	or netbsd-1-5 CVS branch for NetBSD 1.5, 1.5.1 or 1.5.2:
		src/usr.sbin/lpr

	To update from CVS, re-build, and re-install lpd(8):
		# cd src/usr.sbin/lpr
		# cvs update -d -P
		# make cleandir dependall install


	Alternatively, apply the following patch (with potential offset
	differences) and rebuild & re-install lpd(8):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

	To patch, re-build and re-install lpd(8):
		# cd src/usr.sbin/lpr/common_sources
		# patch < /path/to/SA2001-012-lpd.patch
		# make cleandir dependall install


* NetBSD 1.4, 1.4.x:

	Systems running NetBSD-1.4.x releases should apply the following
	patch (with potential offset differences):
		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

	To patch, re-build and re-install lpd(8):
		# cd src/usr.sbin/lpr/common_sources
		# patch < /path/to/SA2001-012-lpd.patch
		# make cleandir dependall install


	The anonymous CVS branch netbsd-1-4 should be updated with a
	fix in the near future.


Thanks To
=========

Jun-ichiro Hagino for the original patches to -current, from a fix in
OpenBSD

Revision History
================

	2001-11-22      Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-018.txt,v 1.6 2001/11/22 15:21:45 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO/0YaT5Ru2/4N2IFAQFP2wP/cSSUxRgwi/JOWj7Yx6u35ygYpuZV3oXs
utQs/astpcjqVPQGqw0BRAuG5dJCqmLqf0F//cpwmFn/V5f5ByhwJE+x/KrtJ19N
S36uB6AAQYQ7Bh9GGVApncKwk2XeA3XcI2PAWX1VkRStzU/k6QYunfqqRdnMr5xr
srHaB5bZ9FQ=
=Wn9T
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC