[VulnWatch] NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability

From: NSFCOSU Security Team (security@nsfocus.com)
Date: 03/31/03

  • Next message: NSFCOSU Security Team: "[VulnWatch] NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability"
    From: NSFCOSU Security Team <security@nsfocus.com>
    To: bugtraq@securityfocus.com
    Date: Mon, 31 Mar 2003 18:07:24 +0800
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    NSFOCUS Security Advisory(SA2003-02)

    Topic: Solaris lpq Stack Buffer Overflow Vulnerability

    Release Date: 2003-3-31

    CVE CAN ID: CAN-2003-0091

    Affected system:
    ===================

    Sun Solaris 2.5.1 (SPARC/x86)
    Sun Solaris 2.6 (SPARC/x86)
    Sun Solaris 7 (SPARC/x86)
                                                                   
    Summary:
    =========

    NSFOCUS Security Team has found a buffer overflow vulnerability in lpq, an
    application in Sun Solaris system. Exploiting the vulnerability local
    attackers could gain root privilege.

    Description:
    ============

    lpq, which is used to display the contents in printing queue, is a command
    in SunOS/BSD compatible package.By default suid root bit is set to it.
    Because valid bound check has not been implemented when handling the data
    provided by users, attackers could cause a fixed stack buffer to overflow.
    By carefully crafting overflow data attackers could run arbitrary code with
    root privilege.

    Actually /usr/ucb/lpq is a symbol link to /usr/bin/lpstat. lpstat will
    operate according to the program names during the calling. If "lpq", it will
    operate in BSD style, or it will operate in System V style. The bsd_queue()
    function in lpq will call strcat() to copy the data provided by users to a
    buffer the size of which is fixed. Because the length of the copied data has
    not been checked, if an attacker provides a over-long string, he/she will
    cause a stack buffer overflow. By overwriting the returning addresses and other
    data in the stack, local attackers could gain root privilege.

    Solaris 8/9 uses strlcat() to implement string copy, so it avoids buffer
    overflow and therefore is not vulnerable to the issue.

    Workaround:
    =============

     NSFOCUS suggests to disable suid root attribute of lpstat(lpq) temporarily:
     # chmod a-s /usr/bin/lpstat

    Vendor Status:
    ==============

    2002-12-11 Informed the vendor.
    2002-12-13 The vendor confirmed the vulnerability.
    2003-03-31 The vendor released a Sun Alert and patches for this issue.

    The Sun Alert is available at:
    http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/52443

    The patches are:

    Solaris 2.6 106235-12
    Solaris 2.6_x86 106236-12
    Solaris 7 107115-12
    Solaris 7_x86 107116-12

    Additional Information:
    ========================

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2003-0091 to this issue. This is a candidate for inclusion in the
    CVE list (http://cve.mitre.org), which standardizes names for security
    problems. Candidates may change significantly before they become official
    CVE entries.

    DISCLAIMS:
    ==========
    THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
    OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
    EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
    BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
    INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
    EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
    ADVISORY IS NOT MODIFIED IN ANY WAY.

    Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.

    NSFOCUS Security Team <security@nsfocus.com>
    NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
    (http://www.nsfocus.com)

    PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
    Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE+iBNs1794d8am9toRArQpAKCPmoXrsyInS1pQgfYTuYtkR2XvswCfTjvL
    VAzI4QN1JWJvITsvlI5heA8=
    =erIs
    -----END PGP SIGNATURE-----


  • Next message: NSFCOSU Security Team: "[VulnWatch] NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability"

    Relevant Pages