***********************************************************************
DDN Security Bulletin 9110 DCA DDN Defense Communications System
23 July 91 Published by: DDN Security Coordination Center
(SCC@NIC.DDN.MIL) (800) 235-3155
DEFENSE DATA NETWORK
SECURITY BULLETIN
The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
Coordination Center) under DCA contract as a means of communicating
information on network and host security exposures, fixes, & concerns
to security & management personnel at DDN facilities. Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.67.67.20]
using login="anonymous" and password="guest". The bulletin pathname is
SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001).
**********************************************************************
Patch for SunOS /usr/lib/lpd
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Communications Agency's Security Coordination !
! Center distribution system as a means of providing DDN !
! subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
CA-91:10 CERT Advisory
July 15, 1991
Patch for SunOS /usr/lib/lpd
---------------------------------------------------------------------------
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning the availability of a security patch
for /usr/lib/lpd in Sun Microsystems, Inc. operating systems. This
problem will be fixed in SunOS 5.0. Patches are available for SunOS 4.0.3,
SunOS 4.1, and SunOS 4.1.1 through your local Sun answer centers worldwide
as well as through anonymous ftp to ftp.uu.net (in ~ftp/sun-dist).
Patch ID and file information are as follows:
Fix Patch ID Filename Checksum
/usr/lib/lpd 100305-03 100305-03.tar.Z 58052 380
Please note that Sun Microsystems sometimes updates patch files. If
you find that the checksum is different please contact Sun Microsystems
or us for verification.
---------------------------------------------------------------------------
I. DESCRIPTION:
A security vulnerability exists in /usr/lib/lpd in all
existing versions of SunOS that allows an unprivileged user
to delete any system files.
II. IMPACT:
Any user logged into the system can delete files that they do
not own.
III. SOLUTION:
Install the new version of lpd. You may want to alert
users in advance that printer service will be disrupted.
Then, before installing the patch, drain the print queues.
This is generally done using the lpc command. Later,
after the patch is installed, printer queues can be
re-enabled.
As root:
1. Kill the currently running lpd process. Kill -INT
will allow the running lpd to do necessary clean-up.
# ps -ax | grep lpd
# kill -INT {process id of lpd found in the above command}
2. Move the current version aside and change the file mode
of the old version to prevent misuse.
# mv /usr/lib/lpd /usr/lib/lpd.OLD
# chmod 100 /usr/lib/lpd.OLD
3. Install the new version of lpd
# cp sun{3,3x,4,4c.386i}/{4.1,4.1.1}/lpd /usr/lib/lpd
# chown root.daemon /usr/lib/lpd
# chmod 6711 /usr/lib/lpd
4. Set up devices (note: new device name /dev/lpd/printer) to
work with new lpd. Create a link, /dev/printer, for
compatibility purposes.
# rm -f /dev/printer
# mkdir /dev/lpd
# chown root.daemon /dev/lpd
# chmod 710 /dev/lpd
# ln -s /dev/lpd/printer /dev/printer
5. Modify line printer program protections
# chmod 6711 /usr/ucb/lpr
# chmod 6711 /usr/ucb/lpq
# chmod 6711 /usr/ucb/lprm
# chmod 2711 /usr/etc/lpc
6. Restart lpd
# /usr/lib/lpd
7. Edit /etc/rc or /etc/rc.local file and change the line that removes
the /dev/printer file upon system startup. It should reflect
the change in location from /dev/printer to /dev/lpd/printer.
Original:
if [ -f /usr/lib/lpd ]; then
rm -f /dev/printer /var/spool/lpd.lock
Change to:
if [ -f /usr/lib/lpd ]; then
rm -f /dev/lpd/printer /var/spool/lpd.lock
^^^^
NEW
The results should look like:
if [ -f /usr/lib/lpd ]; then
rm -f /dev/lpd/printer /var/spool/lpd.lock
/usr/lib/lpd; echo -n ' printer'
fi
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline:
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
on call for emergencies during other hours.
Past advisories and other computer security related information are available
for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
