BSD lpr -s option symlink attack
|bsd-lpr-symlink (7209)||Medium Risk|
The BSD lpr print spooler, included on multiple BSD-based operating systems, could allow a local attacker to launch a symlink attack. A local attacker could create a symbolic link in the /var/spool/lpd directory to overwrite or create arbitrary files on the system once lpr has been invoked 1000 times. An attacker could exploit this vulnerability to obtain root privileges on the system.
Apply the patch for this vulnerability, as listed in 8lgm Advisory #03. See References.
- 8lgm Advisory #03: [8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991.
- CIAC Information Bulletin E-25a: BSD lpr Vulnerability in SGI IRIX.
- CVE-1999-1102: lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating systems allows local users to create or overwrite arbitrary files via a symlink attack that is triggered after invoking lpr 1000 times.
- OSVDB ID: 9020: Multiple Vendor lpr 1000x Symlink Arbitrary File Create/Overwrite
- Apple A UX 2.0.1
- SGI IRIX 4.0.5
- SGI IRIX 5.0
- SGI IRIX 5.0.1
- SGI IRIX 5.1
- SGI IRIX 5.1.1
- SGI IRIX 5.2
- Sun SunOS 4.1.1
- WindRiver BSDOS 4.3
Aug 19, 1991
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this