BSD lpd print protocol daemon buffer overflow

bsd-lpd-bo (7046)

High Risk

Description:

Several BSD implementations contain a buffer overflow vulnerability in the BSD Unix line printer daemon ("in.lpd" or "lpd" ) that could allow a remote attacker to execute arbitrary code on the system with superuser privileges. The line printer daemon is used to allow heterogeneous Unix environments to share printers over a network.

The vulnerability presents itself when an attacker submits a specially-crafted, incomplete print job. An attacker can subsequently request a display of the printer queue to trigger a buffer overflow. A static buffer overflow condition exists in the functionality that parses the attacker's first request. Attackers may use this overflow to execute arbitrary commands on the system, or spawn an interactive shell and then navigate the file system. After the attacker successfully exploits the buffer overflow, all commands are executed with superuser privilege.

The line printer must be enabled and configured for attackers to exploit this vulnerability. FreeBSD and OpenBSD do not enable in.lpd by default. BSD/OS line printer daemon is running by default, but with an empty configuration file. The attacker must launch his attack from a system that is listed in the "/etc/hosts.equiv" or "/etc/hosts.lpd" file of the target system.

Platforms Affected:

• FreeBSD, FreeBSD 3.5
• FreeBSD, FreeBSD 4.0
• FreeBSD, FreeBSD 4.1
• FreeBSD, FreeBSD 4.1.1
• FreeBSD, FreeBSD 4.2
• FreeBSD, FreeBSD 4.3
• IBM, AIX 4.3
• IBM, AIX 5.1
• NetBSD, NetBSD 1.4
• NetBSD, NetBSD 1.4.1
• NetBSD, NetBSD 1.4.2
• NetBSD, NetBSD 1.4.3
• NetBSD, NetBSD 1.5
• NetBSD, NetBSD 1.5.1
• NetBSD, NetBSD 1.5.2
• OpenBSD, OpenBSD CURRENT and prior
• RedHat, Linux 6.2
• SCO, Caldera OpenServer 5.0.6a and prior
• SuSE, SuSE Linux 6.3
• SuSE, SuSE Linux 6.4
• SuSE, SuSE Linux 7.0
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• WindRiver, BSDOS 2.0
• WindRiver, BSDOS 2.1
• WindRiver, BSDOS 3.0
• WindRiver, BSDOS 3.1
• WindRiver, BSDOS 4.0
• WindRiver, BSDOS 4.0.1
• WindRiver, BSDOS 4.1

Remedy:

For BSD/OS 4.1 and earlier:
Apply the M410-044 patch for your system, available from the BSDI Support Web site. See References.

For OpenBSD CURRENT and earlier:
Apply the appropriate patch for your system, when it becomes available from the OpenBSD Web site. See References.

For NetBSD 1.5.1 and earlier:
Apply the appropriate patch for your system, as listed in NetBSD Security Advisory 2001-018. See References.

For FreeBSD 3.x and 3.5.1-STABLE:
Upgrade to the latest version of FreeBSD (3.5.1-STABLE dated 2001-08-30 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

— OR —

Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

For FreeBSD 4.x and 4.3-STABLE:
Upgrade to the latest version of FreeBSD (4.3-STABLE dated 2001-08-30 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

— OR —

Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

For Caldera OpenServer 5.0.6 and earlier:
Apply the appropriate patch for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2001-SCO.20.1. See References.

For IBM AIX 4.3:
Apply APAR IY23037 patch, as listed in IBM Global Services MSS Outside Advisory Redistribution MSS-OAR-E01-2001:391.1. See References.

For IBM AIX 5.1:
Apply APAR IY23041 patch, as listed in IBM Global Services MSS Outside Advisory Redistribution MSS-OAR-E01-2001:391.1. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of lpr (0.50.1-1 or later), as listed in Red Hat Linux Errata Advisory RHSA-2001:147-07. See References.

For SuSE Linux 7.2 (Intel Platform):
Upgrade to the latest version of lprold (3.0.48-272 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 6.3, 6.4, 7.0, and 7.1 (Intel Platform)::
Upgrade to the latest version of lprold (3.0.48-275 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 7.0 and 7.1 (Sparc Platform):
Upgrade to the latest version of lprold (3.0.48-216 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 6.3, 6.4, 7.0, and 7.1 (AXP Alpha Platform):
Upgrade to the latest version of lprold (3.0.48-215 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 6.4, 7.0, and 7.1 (Power PC Platform):
Upgrade to the latest version of lprold (3.0.48-200 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

• BSDI Support Web site, BSD/OS Internet Server 4.1 Mods (patches) at http://www.bsdi.com/services/support/patches/patches-4.1/.
• Caldera International, Inc. Security Advisory CSSA-2001-SCO.20, OpenServer: remote buffer overflow vulnerability in BSD line printer daemon at ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20.1/CSSA-2001-SCO.20.1.txt.
• Caldera International, Inc. Security Advisory CSSA-2001-SCO.20.1, OpenServer: remote buffer overflow vulnerability in BSD line printer daemon at ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20.1/CSSA-2001-SCO.20.1.txt.
• CERT Advisory CA-2001-30, Multiple Vulnerabilities in lpd at http://www.cert.org/advisories/CA-2001-30.html.
• CIAC Information Bulletin L-137, FreeBSD lpd Remote Root Vulnerability at http://www.ciac.org/ciac/bulletins/l-137.shtml.
• CIAC Information Bulletin M-014, UNIX - Multiple Vulnerabilities In LPD at http://www.ciac.org/ciac/bulletins/m-014.shtml.
• FreeBSD Security Advisory FreeBSD-SA-01:58, lpd contains remote root vulnerability at http://archives.neohapsis.com/archives/freebsd/2001-08/0622.html.
• FreeBSD, Inc. Web site, FreeBSD Security Information at http://www.freebsd.org/security/.
• IBM Managed Security Services Outside Advisory Redistribution MSS-OAR-E01-2001:391.1, IBM AIX: Buffer Overflow Vulnerabilities in lpd at http://archives.neohapsis.com/archives/bugtraq/2001-09/0084.html.
• Internet Security Systems Security Alert #94, Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon at http://www.iss.net/xforce/alerts/id/advise94.
• NetBSD Security Advisory 2001-018, Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc.
• OpenBSD Web site, OpenBSD 2.9 errata at http://www.openbsd.com/errata.html.
• SuSE Security Announcement SuSE-SA:2001:033, lprold at http://www.suse.com/de/security/2001_033_lprold_txt.html.
• The NetBSD Project Web site, The NetBSD Project at http://www.netbsd.org/.
• BID-3252: Multiple BSD Vendor lpd Buffer Overflow Vulnerability
• BID-3417: SuSE LPROld Remote File Ownership Changing Vulnerability
• CVE-2001-0670: Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue.
• RHSA-2001-147: remote exploit possible in lpd
• US-CERT VU#274043: BSD Line Printer Daemon vulnerable to buffer overflow via crafted print request

Reported:

Aug 29, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page