[UNIX] Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon
From: support@securiteam.comDate: 09/04/01
- Previous message: support@securiteam.com: "[EXPL] HP UNIX /usr/sbin/swverify Exploit Code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon Message-Id: <20010904172825.436DC138C0@mail.der-keiler.de> Date: Tue, 4 Sep 2001 19:28:25 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon
------------------------------------------------------------------------
SUMMARY
Internet Security Systems (ISS) X-Force has discovered a vulnerability in
several BSD implementations. A buffer overflow vulnerability exists in the
BSD Unix line printer daemon ("in.lpd" or "lpd"). Remote or local
attackers may use this vulnerability to execute arbitrary code with super
user privileges on a vulnerable target.
DETAILS
Affected versions:
OpenBSD CURRENT and earlier
FreeBSD 4.3 and earlier
NetBSD 1.5.1 and earlier
BSD/OS 4.1 and earlier
The line printer daemon is used to allow heterogeneous UNIX environments
to share printers over a network. The line printer daemon passes network
print jobs to a printer, manages printer queues, and provides printer job
control functions.
The vulnerability presents itself when an attacker submits a specially
crafted, incomplete print job. An attacker can subsequently request a
display of the printer queue to trigger a buffer overflow. A static buffer
overflow condition exists in the functionality that parses the attacker's
first request. Attackers may use this overflow to execute arbitrary
commands on the system, or spawn an interactive shell and then navigate
the file system. After the attacker successfully exploits the buffer
overflow, all commands are executed with superuser privilege.
The line printer must be enabled and configured for attackers to exploit
this vulnerability. FreeBSD and OpenBSD do not enable in.lpd by default.
BSD/OS line printer daemon is running by default, but with an empty
configuration file. The attacker must launch his attack from a system that
is listed in the "/etc/hosts.equiv" or "/etc/hosts.lpd" files of the
target system.
Recommendations:
ISS X-Force recommends that all administrators who have not implemented
network printing should immediately disable the line printer daemon, as
well as any other unused services. If administrators have implemented
network printing, X-Force recommends against granting blanket access to
printers.
Patches will be made available by all the affected vendors. Please refer
to the following addresses for patch information regarding this
vulnerability:
<http://www.BSDI.COM/services/support/patches/patches-4.1/M410-044>
http://www.BSDI.COM/services/support/patches/patches-4.1/M410-044
<http://www.openbsd.com/errata.html> http://www.openbsd.com/errata.html
<http://www.netbsd.org/security> http://www.netbsd.org/security
<http://www.freebsd.org/security> http://www.freebsd.org/security
ADDITIONAL INFORMATION
The information has been provided by <mailto:xforce@iss.net> X-Force.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] HP UNIX /usr/sbin/swverify Exploit Code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
