CERT^® Advisory CA-2001-15 Buffer Overflow In Sun Solaris in.lpd Print Daemon

A complete revision history can be found at the end of this file.

Systems Affected

A buffer overflow exists in the Solaris BSD-style line printer daemon, in.lpd, that may allow a remote intruder to execute arbitrary code with the privileges of the running daemon. This daemon runs with root privileges on all default installations of vulnerable Solaris systems listed above.

I. Description

The Solaris in.lpd provides BSD-style services for remote users to interact with a local printer, listening for remote requests on port 515/tcp (printer). There is an unchecked buffer in the part of the code responsible for transferring print jobs from one machine to another. If given too many jobs to work on at once, the printer daemon may crash or allow arbitrary code to be executed with elevated privileges on the victim system.

This problem was discovered by the ISS X-Force who have released an advisory:

http://xforce.iss.net/alerts/advise80.php

Although the CERT/CC has not received any reports of this vulnerability being successfully exploited, we do strongly encourage all affected system adminsitrators to take one or more of the recommended actions in III. Solution. Such actions have proven effective at minimizing the likelihood of being successfully attacked using vulnerabilities similar to this one.

A remote intruder may be able to execute arbitrary code with the privileges in the running daemon (typically root). In addition, a remote intruder may be able to crash vulnerable printer daemons.

III. Solution

The following patches are available in relation to the above problem.

    OS Version               Patch ID
    __________               _________
    SunOS 5.8                109320-04
    SunOS 5.8_x86            109321-04
    SunOS 5.7                107115-09
    SunOS 5.7_x86            107116-09
    SunOS 5.6                106235-09
    SunOS 5.6_x86            106236-09

http://sunsolve.sun.com/securitypatch

The in.lpd daemon was not available prior to Solaris 2.6.

These patches resolve Sun problem report 4446925 *in.lpd* contains a remote exploitable overflow.

The complete signed text of Sun Security Bulletin #206 may be found at:

Sun Information for VU#484011

Implement a workaround

A number of different workaround strategies have been suggested for dealing with this problem until patches can be applied:

• Disable the print service in /etc/inetd.conf if remote print job handling is unnecessary; see the ISS X-Force advisory for step-by-step details if needed
• Enable the noexec_user_stack tunable (although this does not provide 100 percent protection against exploitation of this vulnerability, it makes the likelihood of a successful exploit much smaller). Add the following lines to the /etc/system file and reboot:

   set noexec_user_stack = 1
   set noexec_user_stack_log = 1
  

• Block access to network port 515/tcp (printer) at all appropriate network perimeters
• Deploy tcpwrappers, also available in the tcpd-7.6 package at:
   

  http://www.sun.com/solaris/freeware.html#cd

1. CVE Name: CAN-2001-0353
2. https://www.kb.cert.org/vuls/id/484011
   
3. http://xforce.iss.net/alerts/advise80.php
   
4. http://www.securityfocus.com/bid/2894
   
5. http://www.sun.com/security
6. http://www.sunfreeware.com/notes.html#tcp_wrappers
7. http://www.sun.com/solaris/freeware.html#cd
8. http://www.sun.com/software/solutions/blueprints/0601/jass_quick_start-v03.html
9. Sun Security Bulletin Archive

The CERT Coordination Center thanks Sun Microsystems for contributing to the creation of this advisory.

This document was written by Jeffrey S. Havrilla. If you have feedback concerning this document, please send email to:

mailto:cert@cert.org?Subject=[VU#484011] Feedback CA-2001-15

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2001 Carnegie Mellon University.

Revision History

Jun 29, 2001:  Initial release
Jul 02, 2001:	Fixed broken link to vulnerability note
Aug 31, 2001:	Updated with patch information from Sun Security Bulletin #206