[UNIX] Multiple Vulnerabilities in lpd

From: support@securiteam.com
Date: 11/13/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Multiple Vulnerabilities in lpd
Message-Id: <20011113195846.A0F0B138BF@mail.der-keiler.de>
Date: Tue, 13 Nov 2001 20:58:46 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in lpd
------------------------------------------------------------------------

SUMMARY

There are multiple vulnerabilities in several implementations of the line
printer daemon (lpd). The line printer daemon enables various clients to
share printers over a network.
Users are encouraged to review their configuration to be sure they have
applied all relevant patches. You should also restrict access to the lpd
service to only authorized users.

DETAILS

Vulnerable systems:
 * BSDi BSD/OS Version 4.1 and earlier
 * Debian GNU/Linux 2.1 and 2.1r4
 * FreeBSD All released versions FreeBSD 4.x, 3.x, FreeBSD 4.3-STABLE,
3.5.1-STABLE prior to the correction date
 * Hewlett-Packard HP9000 Series 700/800 running HP-UX releases 10.01,
10.10, 10.20, 11.00, and 11.11
 * IBM AIX Versions 4.3 and AIX 5.1
 * Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
 * NetBSD 1.5.2 and earlier
 * OpenBSD Version 2.9 and earlier
 * Red Hat Linux 6.0 all architectures
 * SCO OpenServer Version 5.0.6a and earlier
 * SGI IRIX 6.5-6.5.13
 * Sun Solaris 8 and earlier
 * SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2

There are multiple vulnerabilities in several implementations of the line
printer daemon (lpd), affecting several systems. Some of these problems
have been publicly disclosed previously. However, many system and network
administrators may have overlooked one or more of these vulnerabilities.
This document is issued primarily to encourage system and network
administrators to check their systems for exposure to each of these
vulnerabilities, even if they have addressed some lpd vulnerabilities
recently.

Most of these vulnerabilities are buffer overflows allowing a remote
intruder to gain root access to the lpd server. For the latest and most
detailed information about the known vulnerabilities, please see the
vulnerability notes linked to below.

BSD line printer daemon buffer overflow in displayq()
There is a buffer overflow in several implementations of in.lpd, a BSD
line printer daemon. An intruder can send a specially crafted print job to
the target and then request a display of the print queue to trigger the
buffer overflow. The intruder may be able use this overflow to execute
arbitrary commands on the system with superuser privileges.

The line printer daemon must be enabled and configured properly in order
for an intruder to exploit this vulnerability. This is, however, trivial
as the line printer daemon is commonly enabled to provide printing
functionality. In order to exploit the buffer overflow, the intruder must
launch his attack from a system that is listed in the "/etc/hosts.equiv"
or "/etc/hosts.lpd" files of the target system.

IBM AIX line printer daemon buffer overflow in kill_print()
A buffer overflow exists in the kill_print() function of the line printer
daemon (lpd) on AIX systems. An intruder could exploit this vulnerability
to obtain root privileges or cause a denial of service (DoS). The intruder
would need to be listed in the victim's /etc/hosts.lpd or /etc/hosts.equiv
file, however, to exploit this vulnerability.

IBM AIX line printer daemon buffer overflow in send_status()
A buffer overflow exists in the send_status() function of the line printer
daemon (lpd) on AIX systems. An intruder could exploit this vulnerability
to obtain root privileges or cause a denial of service (DoS). The intruder
would need to be listed in the victim's /etc/hosts.lpd or /etc/hosts.equiv
file, however, to exploit this vulnerability.

IBM AIX line printer daemon buffer overflow in chk_fhost()
A buffer overflow exists in the chk_fhost() function of the line printer
daemon (lpd) on AIX systems. An intruder could exploit this vulnerability
to obtain root privileges or cause a denial of service (DoS). The intruder
would need control of the DNS server to exploit this vulnerability.

line printer daemon allows options to be passed to sendmail
There exists a vulnerability in the line printer daemon that permits an
intruder to send options to sendmail. These options could be used to
specify another configuration file allowing an intruder to gain root
access.

line printer daemon hostname authentication bypassed with spoofed DNS
A vulnerability exists in the line printer daemon (lpd) shipped with the
printer package for several systems. The authentication method was not
thorough enough. If a remote user were able to control his or her own DNS
so that their IP address resolved to the hostname of the print server,
access would be granted when it should not be.

Hewlett-Packard HP-UX line printer daemon buffer overflow
A buffer overflow exists in HP-UX's line printer daemon (rlpdaemon) that
may allow an intruder to execute arbitrary code with superuser privilege
on the target system. The rlpdaemon is installed by default and is active
even if it is not being used. An intruder does not need any prior
knowledge, or privileges on the target system, in order to exploit this
vulnerability.

Impact:
All of these vulnerabilities can be exploited remotely. In most cases,
they allow an intruder to execute arbitrary code with the privileges of
the lpd server. In some cases, an intruder must have access to a machine
listed in /etc/hosts.equiv or /etc/hosts.lpd, and in some cases, an
intruder must be able to control a name server.

One vulnerability (line printer daemon allows options to be passed to
sendmail) allows you to specify options to sendmail that can be used to
execute arbitrary commands. Ordinarily, this vulnerability is only
exploitable from machines that are authorized to use the lpd server.
However, in conjunction with another vulnerability (line printer daemon
hostname authentication bypassed with spoofed DNS), permitting intruders
to gain access to the lpd service, this vulnerability can be used by
intruders not normally authorized to use the lpd service.

For specific information about the impacts of each of these
vulnerabilities, please consult the CERT Vulnerability Notes Database (
<http://www.kb.cert.org/vuls> http://www.kb.cert.org/vuls).

Solution:
Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As
vendors report new information to the CERT/CC, we will update this section
and note the changes in our revision history. If a particular vendor is
not listed below, we have not received their comments. Please contact your
vendor directly.

This table represents the status of each vendor with regard to each
vulnerability. Please be aware that vendors produce multiple products; if
they are listed in this table, not all products may be affected. If a
vendor is not listed in the table below, then their status should be
considered unknown. For specific information about the status of each of
these vulnerabilities, please consult the CERT Vulnerability Notes
Database ( <http://www.kb.cert.org/vuls> http://www.kb.cert.org/vuls).

Restrict access to the lpd service
As a general practice, we recommend disabling all services that are not
explicitly required. You may wish to disable the line printer daemon if
there is not a patch available from your vendor.

If you cannot disable the service, you can limit your exposure to these
vulnerabilities by using a router or firewall to restrict access to port
515/TCP (printer). Note that this does not protect you against attackers
from within your network.

Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments.

Apple Computer, Inc.
Mac OS X does not have the line printer daemon vulnerability issues
described in these advisories.

Berkeley Software Design, Inc. (BSDI)
Some (older) versions are affected. The current (BSD/OS 4.2) release is
not vulnerable. Systems are only vulnerable to attack from hosts that are
allowed via the /etc/hosts.lpd file (which is empty as shipped).

BSD/OS 4.1 is the only vulnerable version that is still officially
supported by Wind River Systems. A patch (M410-044) is available in the
normal locations, <ftp://ftp.bsdi.com/bsdi/patches>
ftp://ftp.bsdi.com/bsdi/patches or via their web site at
http://www.bsdi.com/support

Compaq
Compaq has not been able to reproduce the problems identified in this
advisory for TRU64 UNIX. Compaq will continue testing and address the LPD
issues if a problem is discovered and provide patches as necessary.

Cray
Cray, Inc. has been unable to prove an lpd vulnerability. However, it was
deemed that a buffer overflow may be possible and so did tighten up the
code. See Cray SPR 721101 for more details.

Debian
 <http://www.debian.org/security/2000/20000109>
http://www.debian.org/security/2000/20000109

FreeBSD, Inc.
 
<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A58.lpd.asc> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A58.lpd.asc

Hewlett-Packard Company
Hewlett-Packard has released HPSBUX0108-163 Sec. Vulnerability in
rlpdaemon Bulletin and patches available from <http://itrc.hp.com>
http://itrc.hp.com Details to access <http://itrc.hp.com>
http://itrc.hp.com are include at the last half of any HP Bulletin.

IBM Corporation
 
<http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256ac7005cf00a/$FILE/oar391.txt> http://www-1.ibm.com/services/continuity/recover1.nsf/ 4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256ac7005cf00a/$FILE/oar391.txt

Mandrake Software
 <http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-054.php3>
http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-054.php3

NetBSD
If lpd has been enabled, this issue affects NetBSD versions 1.5.2 and
prior releases, and NetBSD-current prior to August 30, 2001. lpd is
disabled by default in NetBSD installations.
 
Detailed information will be released subsequent to the publication of
this CERT advisory.
 
An up-to-date PGP signed copy of the release will be maintained at
 
<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc> ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc
 
Information about NetBSD and NetBSD security can be found at
<http://www.NetBSD.ORG> http://www.NetBSD.ORG and
<http://www.NetBSD.ORG/Security/> http://www.NetBSD.ORG/Security/.

OpenBSD
 <http://www.openbsd.org/errata29.html#lpd>
http://www.openbsd.org/errata29.html#lpd

RedHat Inc.
 <http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html>
http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html

Santa Cruz Operation, Inc. (SCO)
 <ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/>
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/

SGI
 <ftp://patches.sgi.com/support/free/security/advisories/20011003-01-P>
ftp://patches.sgi.com/support/free/security/advisories/20011003-01-P

SuSE
 
<http://lists2.suse.com/archive/suse-security-announce/2001-Oct/0000.html>
http://lists2.suse.com/archive/suse-security-announce/2001-Oct/0000.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:cert-advisory@cert.org> CERT
Advisory.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages