TUCoPS :: Unix :: General :: ciach008.txt

Lpr Buffer Overrun Vulnerability


             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                        lpr Buffer Overrun Vulnerability

November 26, 1996 23:00 GMT                                        Number H-08
______________________________________________________________________________
PROBLEM:       Insufficient bounds checking on arguments makes it possible to
               overwrite the internal stack space of the lpr program.
PLATFORM:      The vulnerability exists in the BSD based lpr printing package
               found on a variety of Unix platforms.
DAMAGE:        Local users may gain root privileges.
SOLUTION:      Install vendor patches as recommended below. If vendor patches
               are unavailable, CIAC recommends that you install the lpr
               wrapper provided by AUSCERT.
______________________________________________________________________________
VULNERABILITY  Exploit information involving this vulnerability has been made
ASSESSMENT:    publicly available.
______________________________________________________________________________

[ Start AUSCERT Advisory ]

===========================================================================
AA-96.12                        AUSCERT Advisory
                        lpr buffer overrun vulnerability
                                26 November 1996

Last Revised: 26 November 1996 
                 Minor change to comments in lpr_wrapper program.

----------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the BSD
based printing software, lpr, available on a variety of Unix platforms.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made 
publicly available.

AUSCERT recommends that sites take the steps outlined in section 3
as soon as possible.
----------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    BSD based lpr printing package found on many Unix systems.  

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of the
    lpr program while it is executing.  This can allow an intruder to
    cause lpr to execute arbitrary commands by supplying a carefully
    designed argument to lpr.  These commands will be run with the
    privileges of the lpr program.  When lpr is installed setuid or setgid,
    it may allow intruders to gain those privileges.

    When lpr is setuid root it may allow intruders to run arbitrary
    commands with root privileges.

    This vulnerability is currently known to affect versions of lpr
    distributed with:

	BSD/OS
	FreeBSD 2.x
	Linux

    More details may be found in Section 3.1.  Other platforms using the
    BSD based lpr systems, in which lpr is installed setuid or setgid,
    may also be vulnerable.

    This advisory will be updated as more information becomes available.

    Note that the vulnerability described in this advisory is not present
    in the LPRng printing package.

2.  Impact

    Local users may gain root privileges.

3.  Workarounds/Solution

    The lpr printing package is available on many different systems.
    As vendor patches are made available sites are encouraged to
    install them (Section 3.1).  Until vendor patches are available, AUSCERT
    recommends that sites apply the workaround given in Section 3.2.

3.1 Install vendor patches

    Specific vendor information has been placed in Appendix A.  If the
    BSD based lpr printing software is used and your vendor is not listed
    in Appendix A, AUSCERT recommends that sites contact vendors directly
    for more information.

    If vendor patches are not currently available, vulnerable sites are 
    encouraged to apply the workaround given in Section 3.2.

3.2 Install lpr wrapper

    AUSCERT has developed a wrapper to help prevent lpr being exploited
    using this vulnerability.  This wrapper, including installation
    instructions, can be found in Appendix B.

    AUSCERT recommends that until vendor patches can be installed,
    sites apply this workaround.

-----------------------------------------------------------------------------
Appendix A  Vendor information

The following information regarding this vulnerability for specific vendor
versions of lpr has been made available to AUSCERT.  For additional
information, sites should contact their vendors directly.

BSD/OS
------

BSDI have issued a patch which addresses this vulnerability under
BSD/OS 2.1.  This patch is available from:

	ftp://ftp.bsdi.com/pub/bsdi/patches/patches-2.1/U210-028

FreeBSD 
-------

The FreeBSD security team have released an advisory describing this
vulnerability and patch information for FreeBSD 2.x.  This advisory
(SA-96.18) is available from:

	ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:18.lpr.asc

Patches can be found in the directory:

        ftp://freebsd.org/pub/CERT/patches/SA-96:18

IBM Corporation
---------------

  AIX is not vulnerable to the lpr buffer overflow.  The version of lpr
  shipped with AIX is not installed with the setuid bit turned on.

 
  IBM and AIX are registered trademarks of International Business Machines
  Corporation.

Linux
-----

The Linux Emergency Response Team have released a Linux Security FAQ
Update which addresses this vulnerability.  This Update contains 
information regarding various Linux distributions.  It is available
from:

        ftp://bach.cis.temple.edu/pub/Linux/Security/FAQ/updates/
                   Update-11-25-1996.vulnerability-lpr-0.06-v1.2

---------------------------------------------------------------------------
Appendix B  lpr wrapper

/*
 * lpr_wrapper.c -- wrap lpr to prevent a command line buffer overrun
 *
 * 	This wrapper is part of AUSCERT Advisory AA-96.12.  The latest
 *	version of this advisory is available from:
 *	
 *	ftp://ftp.auscert.org.au/pub/auscert/advisory/
 *				AA-96.12.lpr.buffer.overrun.vul
 *
 *	This program is designed to be an interim relief measure 
 *	until official vendor patches are made available.
 *
 *
 * Author:	AUSCERT
 *		Prentice Centre
 *		The University of Queensland
 *		Qld.  4072.
 *		Australia.
 *
 *		auscert@auscert.org.au
 *
 * DISCLAIMER:	The use of this program is at your own risk.  It is
 *              designed to combat a particular vulnerability, and may
 *              not combat other vulnerabilities, either past or future.
 *              The decision to use this program is yours, as are the
 *              consequences of its use.
 *
 *              This program is designed to be an interim relief measure
 *              until appropriate patches can be obtained from your vendor.
 *
 *
 * Installation instructions
 * ~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 *  1.	su to root
 *
 *  2.	Determine the location of lpr.  On FreeBSD and Linux systems it
 *	is located in /usr/bin/.   For example purposes only, /usr/bin/ 
 *      will be used in following instructions for the location of lpr.
 *
 *  3.  Determine the permissions, owner, and group of lpr.  This
 *      information will be used later.  For example:
 *
 *              # ls -lg /usr/bin/lpr
 *
 *      If lpr does not have setuid or setgid permissions, the installation
 *	of this wrapper program is not necessary.  The version of lpr
 *	in this case does not contain the vulnerability described in
 *	this advisory.
 *
 *  4.	Copy the real lpr program to lpr.real, and then change the
 *	permissions on it.
 *
 *		# cd /usr/bin
 *		# cp lpr lpr.real
 *		# chmod 711 lpr.real
 *
 *  5.  Edit this wrapper program and define REAL_LPR.  By default,
 *      REAL_LPR is defined as "/usr/bin/lpr.real".   This should be
 *	an absolute pathname.
 *
 *  6.  Compile this program in a directory other than /usr/bin.
 *      For example to use /usr/local/src, first copy this file into 
 *      /usr/local/src.
 *
 *              # cd /usr/local/src
 *              # cc -o lpr lpr_wrapper.c
 *
 *	If you wish error messages to be logged by syslog when
 *	arguments that may exploit the buffer overrun vulnerability 
 * 	are passed to lpr, add -DSYSLOG to the compile time options.
 *
 *		# cc -DSYSLOG -o lpr lpr_wrapper.c
 *
 *  7.  Copy this new wrapper program into the directory originally
 *	containing lpr.  This will replace the existing lpr program.
 *
 *      Make sure this directory and its parent directories are protected so
 *      only root is able to make changes to files in the directory.
 *
 *      Use the information found in step #3 and set the same 
 *      owner, group, permissions and privileges on the new lpr program.  
 *
 *	For example:
 *
 *		# cp lpr /usr/bin
 *		# cd /usr/bin
 *		# chown root lpr
 *		# chgrp daemon lpr
 *		# chmod 6711 lpr
 *
 *      Check that the owner, group, permissions and privileges exactly
 *      match those noted in step #3.
 *
 *              # ls -lg /usr/bin/lpr
 *
 *      Users will not be able to print during the time when the
 *      wrapper is copied into place until the chmod command has been
 *	executed.
 *
 * 8.	Check that printing still works!
 *
 */

static char     Version[] = "lpr_wrapper V1.0 26-Nov-1996";


#include <stdio.h>
#include <syslog.h>

/*
 * Make sure REAL_LPR points to the location you copied lpr to in 
 * step #4.
 */

#define REAL_LPR "/usr/bin/lpr.real"

main(argc,argv,envp)
int 	argc;
char	*argv[];
char	*envp[];
{
	int	ct;
	
	for (ct=1;ct<argc;ct++)
	{
		if (strlen(argv[ct]) > BUFSIZ)
		{
			fprintf(stderr,"You have exceeded the argument length ...Exiting\n");
#ifdef SYSLOG
			syslog(LOG_ERR,"Possible lpr buffer overrun attack by uid %d\n",getuid());
#endif

			exit(1);
		}
	}
	execve(REAL_LPR,argv,envp);
	perror("execve lpr failed");
}

----------------------------------------------------------------------------
AUSCERT thanks Alexander O. Yuriev, the FreeBSD security team, IBM, and the
CERT/CC for their assistance in the production of this advisory.
----------------------------------------------------------------------------

[ End AUSCERT Advisory ]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of AUSCERT and others for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-45: Vulnerability in HP VUE
G-46: Vulnerabilities in Transarc DCE and DFS
G-47: Unix FLEXlm Vulnerabilities
G-48: TCP SYN Flooding and IP Spoofing Attacks
H-01: Vulnerabilities in bash
H-02: SUN's TCP SYN Flooding Solutions
H-03: HP-UX_suid_Vulnerabilities
H-04: HP-UX  Ping Vulnerability
H-05: Internet Hoaxes
H-07: Sendmail SIGHUP-smtpd Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH