BSD lpd print protocol daemon buffer overflow

bsd-lpd-bo (7046) The risk level is classified as HighHigh Risk

Description:

Several BSD implementations contain a buffer overflow vulnerability in the BSD Unix line printer daemon ("in.lpd" or "lpd" ) that could allow a remote attacker to execute arbitrary code on the system with superuser privileges. The line printer daemon is used to allow heterogeneous Unix environments to share printers over a network.

The vulnerability presents itself when an attacker submits a specially-crafted, incomplete print job. An attacker can subsequently request a display of the printer queue to trigger a buffer overflow. A static buffer overflow condition exists in the functionality that parses the attacker's first request. Attackers may use this overflow to execute arbitrary commands on the system, or spawn an interactive shell and then navigate the file system. After the attacker successfully exploits the buffer overflow, all commands are executed with superuser privilege.

The line printer must be enabled and configured for attackers to exploit this vulnerability. FreeBSD and OpenBSD do not enable in.lpd by default. BSD/OS line printer daemon is running by default, but with an empty configuration file. The attacker must launch his attack from a system that is listed in the "/etc/hosts.equiv" or "/etc/hosts.lpd" file of the target system.


Consequences:

Gain Privileges

Remedy:

For BSD/OS 4.1 and earlier:
Apply the M410-044 patch for your system, available from the BSDI Support Web site. See References.

For OpenBSD CURRENT and earlier:
Apply the appropriate patch for your system, when it becomes available from the OpenBSD Web site. See References.

For NetBSD 1.5.1 and earlier:
Apply the appropriate patch for your system, as listed in NetBSD Security Advisory 2001-018. See References.

For FreeBSD 3.x and 3.5.1-STABLE:
Upgrade to the latest version of FreeBSD (3.5.1-STABLE dated 2001-08-30 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

— OR —

Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

For FreeBSD 4.x and 4.3-STABLE:
Upgrade to the latest version of FreeBSD (4.3-STABLE dated 2001-08-30 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

— OR —

Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:58. See References.

For Caldera OpenServer 5.0.6 and earlier:
Apply the appropriate patch for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2001-SCO.20.1. See References.

For IBM AIX 4.3:
Apply APAR IY23037 patch, as listed in IBM Global Services MSS Outside Advisory Redistribution MSS-OAR-E01-2001:391.1. See References.

For IBM AIX 5.1:
Apply APAR IY23041 patch, as listed in IBM Global Services MSS Outside Advisory Redistribution MSS-OAR-E01-2001:391.1. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of lpr (0.50.1-1 or later), as listed in Red Hat Linux Errata Advisory RHSA-2001:147-07. See References.

For SuSE Linux 7.2 (Intel Platform):
Upgrade to the latest version of lprold (3.0.48-272 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 6.3, 6.4, 7.0, and 7.1 (Intel Platform)::
Upgrade to the latest version of lprold (3.0.48-275 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 7.0 and 7.1 (Sparc Platform):
Upgrade to the latest version of lprold (3.0.48-216 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 6.3, 6.4, 7.0, and 7.1 (AXP Alpha Platform):
Upgrade to the latest version of lprold (3.0.48-215 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For SuSE Linux 6.4, 7.0, and 7.1 (Power PC Platform):
Upgrade to the latest version of lprold (3.0.48-200 or later), as listed in SuSE Security Announcement SuSE-SA:2001:033. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • FreeBSD FreeBSD 3.5
  • FreeBSD FreeBSD 4.0
  • FreeBSD FreeBSD 4.1
  • FreeBSD FreeBSD 4.1.1
  • FreeBSD FreeBSD 4.2
  • FreeBSD FreeBSD 4.3
  • IBM AIX 4.3
  • IBM AIX 5.1
  • NetBSD NetBSD 1.4
  • NetBSD NetBSD 1.4.1
  • NetBSD NetBSD 1.4.2
  • NetBSD NetBSD 1.4.3
  • NetBSD NetBSD 1.5
  • NetBSD NetBSD 1.5.1
  • NetBSD NetBSD 1.5.2
  • OpenBSD OpenBSD CURRENT and prior
  • RedHat Linux 6.2
  • SCO Caldera OpenServer 5.0.6a and prior
  • SUSE SuSE Linux 6.3
  • SUSE SuSE Linux 6.4
  • SUSE SuSE Linux 7.0
  • SUSE SuSE Linux 7.1
  • SUSE SuSE Linux 7.2
  • WindRiver BSDOS 2.0
  • WindRiver BSDOS 2.1
  • WindRiver BSDOS 3.0
  • WindRiver BSDOS 3.1
  • WindRiver BSDOS 4.0
  • WindRiver BSDOS 4.0.1
  • WindRiver BSDOS 4.1

Reported:

Aug 29, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page