_____________________________________________________
                          The U.S. Department of Energy
                       Computer Incident Advisory Capability
                              ___  __ __    _     ___
                             /       |     /_\   /   
                             \___  __|__  /   \  \___
               _____________________________________________________

                               INFORMATION BULLETIN

                        BSD lpr Vulnerability in SGI IRIX


May 19, 1994 1600 PDT                                             Number E-25a
______________________________________________________________________________
Corrections to E-25    untar command. IRIX 4.0 lpr.latest.Z Sum_Checksum.
______________________________________________________________________________

PROBLEM:        The optional print subsystem BSD lpr can be used to
                create or overwrite any file on the system.
PLATFORM:       SGI workstations running the following operating system
                versions: IRIX 5.0, 5.0.1, 5.1.x, 5.2, and any 4.0.5.
DAMAGE:         Any user with lpr(1) access may gain root privilege.
SOLUTION:       Install new lpr spooler system available from SGI.
______________________________________________________________________________

VULNERABILITY   Notices of this vulnerability along with a script to exploit
ASSESSMENT:     it have been widely distributed on the Internet.  CIAC and SGI
                recommend sites install the appropriate fix immediately.
______________________________________________________________________________

        Critical Information about BSD lpr Vulnerabilities in SGI IRIX

CIAC has learned of a vulnerability in the BSD lpr spooling system.  This
optionally installed subsystem for all SGI platforms allows interoperability
with other BSD lpr systems, such as SunOS, DEC Ultrix, and Novell.  Many SGI
systems replace the standard AT&T System V lp and lpsched print spooler with
the optional BSD subsystem (eoe2.sw.bsdlpr).

This vulnerability affects all SGI workstations running IRIX 5.0, 5.0.1,
5.1.x, 5.2 and 4.0.5 (all versions).  A command flag allows users to create
symbolic links in the lpd spool directory.  After a number of invocations, lpr
will reuse the filename in the spool directory, following the previously
established link.  By allowing the creation or overwriting of any file the
link points to, any user with lpr(1) access can obtain root privilege. 

SGI has produced corrected versions of the lpr software which may be obtained
from your SGI service/support provider or via anonymous FTP from ftp.sgi.com
(192.48.153.1).  Transfer in BINARY mode, as follows: 

       for IRIX 5.*.* systems: ~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z    
       for IRIX 4.0.5 systems: ~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z

Decompress and untar these files using "zcat lpr.latest.Z | tar -xvf -" and   |
checksum these files using "sum -r lpr*" and md5 to yield the following:

IRIX 5.*.*       bytes  sum_checksum   md5_checksum
lpr.latest.Z     22331  61762     44   3a215a1f9b336cc4f76ca3e7a6b9bdcc
lpr.new          41120  22489     81   6f55d6a7620ca5c4188230a3b4dd50be
lpr.new.install   1575  63777      4   be021e98c346a3d49c27f00e43ca87ef

IRIX 4.0.5       bytes  sum_checksum   md5_checksum
lpr.latest.Z     87469  03015    171   d40c8c84e219045e56297cd36e6a77d5       |
lpr.new         171016  21563    335   641f6ca953c8163d9085f99114df5289
lpr.new.install   1575  63777      4   be021e98c346a3d49c27f00e43ca87ef

Note: md5 checksum utility is available via anonymous FTP from CIAC's
server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in
directory /pub/util/crypto.
______________________________________________________________________________

CIAC thanks Miguel J. Sanchez and Jay McCauley of Silicon Graphics Inc. and
David S. Brown of Lawrence Livermore National Laboratory for the information
provided in this bulletin.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products. 

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines.  To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber";

E-mail to ciac-listproc@llnl.gov:
          subscribe list-name  LastName, FirstName PhoneNumber
    e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.