printer_version

Printer Version


Summary

A buffer overflow exists in the LPRng printer spooler found on newer Linux and other Unix systems. Versions below LPRng 3.6.24-1 are vulnerable.

A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7.

A buffer overflow exists in the in.lpd program, part of the Solaris 6,7, and 8 systems.

Buffer overflows have been discovered in BSD based printer daemons which effect many vendor products.

The problem

By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root.

LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers. In testing this has been exploited to remotely elevate privileges.

On Sparc, the netpr exploits will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.

On all Solaris 2.6, 2.7, and 2.8 platforms, the unpatched in.lpd is also vulnerable to a buffer overflow attack resulting in remote root privileges.

On other vendor products, buffer overflow vulnerabilities may also exist.

Fix

Patches are available for LPRng from most Linux vendors. Upgrade or patch to a non-vulnerable version.

Refer to to www.sun.com for relevant patches.

Reference(s):

Securityfocus Security Advisory bid 1712

Securityfocus Security Advisory bid 1200

Securityfocus Security Advisory bid 2894

Securityfocus Security Advisory bid 3274

Securityfocus Security Advisory bid 3252

Securityfocus Security Advisory bid 3240

Securityfocus Security Advisory bid 3241

CVE References(s):

      CVE-2000-0917