CERT Advisory CA-2001-15 Buffer Overflow In Sun Solaris in.lpd Print Daemon

   Original release date: June 29, 2001
   Last revised: August 31, 2001
   Source: CERT/CC
   
   A complete revision history can be found at the end of this file.
   
Systems Affected

     * Solaris 2.6 for SPARC
     * Solaris 2.6 x86
     * Solaris 7 for SPARC
     * Solaris 7 x86
     * Solaris 8 for SPARC
     * Solaris 8 x86
       
Overview

   A buffer overflow exists in the Solaris BSD-style line printer daemon,
   in.lpd, that may allow a remote intruder to execute arbitrary code
   with the privileges of the running daemon. This daemon runs with root
   privileges on all default installations of vulnerable Solaris systems
   listed above.
   
I. Description

   The Solaris in.lpd provides BSD-style services for remote users to
   interact with a local printer, listening for remote requests on port
   515/tcp (printer). There is an unchecked buffer in the part of the
   code responsible for transferring print jobs from one machine to
   another. If given too many jobs to work on at once, the printer daemon
   may crash or allow arbitrary code to be executed with elevated
   privileges on the victim system.
   
   This problem was discovered by the ISS X-Force who have released an
   advisory:
   
          http://xforce.iss.net/alerts/advise80.php
          
   Although the CERT/CC has not received any reports of this
   vulnerability being successfully exploited, we do strongly encourage
   all affected system adminsitrators to take one or more of the
   recommended actions in III. Solution. Such actions have proven
   effective at minimizing the likelihood of being successfully attacked
   using vulnerabilities similar to this one.
   
II. Impact

   A remote intruder may be able to execute arbitrary code with the
   privileges in the running daemon (typically root). In addition, a
   remote intruder may be able to crash vulnerable printer daemons.
   
III. Solution

Apply patches as soon as possible

   Patches have been released by Sun. They are part of a jumbo lp patch
   set identified by the following ids, per Sun Security Bulletin #206:
The following patches are available in relation to the above problem.

    OS Version               Patch ID
    __________               _________
    SunOS 5.8                109320-04
    SunOS 5.8_x86            109321-04
    SunOS 5.7                107115-09
    SunOS 5.7_x86            107116-09
    SunOS 5.6                106235-09
    SunOS 5.6_x86            106236-09

   Patches listed here are available at:
   
          http://sunsolve.sun.com/securitypatch
          
   The in.lpd daemon was not available prior to Solaris 2.6.
   
   These patches resolve Sun problem report 4446925 *in.lpd* contains a
   remote exploitable overflow.
   
   The complete signed text of Sun Security Bulletin #206 may be found
   at:
   
          Sun Information for VU#484011
          
Implement a workaround

   A number of different workaround strategies have been suggested for
   dealing with this problem until patches can be applied:
     * Disable the print service in /etc/inetd.conf if remote print job
       handling is unnecessary; see the ISS X-Force advisory for
       step-by-step details if needed
     * Enable the noexec_user_stack tunable (although this does not
       provide 100 percent protection against exploitation of this
       vulnerability, it makes the likelihood of a successful exploit
       much smaller). Add the following lines to the /etc/system file and
       reboot:
 set noexec_user_stack = 1
 set noexec_user_stack_log = 1
     * Block access to network port 515/tcp (printer) at all appropriate
       network perimeters
     * Deploy tcpwrappers, also available in the tcpd-7.6 package at:
       
       
                http://www.sun.com/solaris/freeware.html#cd
                
Appendix B. - References

    1. CVE Name: CAN-2001-0353
    2. https://www.kb.cert.org/vuls/id/484011
    3. http://xforce.iss.net/alerts/advise80.php
    4. http://www.securityfocus.com/bid/2894
    5. http://www.sun.com/security
    6. http://www.sunfreeware.com/notes.html#tcp_wrappers
    7. http://www.sun.com/solaris/freeware.html#cd
    8. http://www.sun.com/software/solutions/blueprints/0601/jass_quick_s
       tart-v03.html
    9. Sun Security Bulletin Archive
     _________________________________________________________________
   
   The CERT Coordination Center thanks Sun Microsystems for contributing
   to the creation of this advisory.
     _________________________________________________________________
   
   This document was written by Jeffrey S. Havrilla. If you have feedback
   concerning this document, please send email to:
   
          mailto:cert@cert.org?Subject=[VU#484011] Feedback CA-2001-15
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-2001-15.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.
   
    Using encryption
    
   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
    Getting security information
    
   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message
   
   subscribe cert-advisory
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2001 Carnegie Mellon University.
   
   Revision History
Jun 29, 2001:  Initial release
Jul 02, 2001:   Fixed broken link to vulnerability note
Aug 31, 2001:   Updated with patch information from Sun Security Bulletin #206