A buffer overflow exists in the LPRng printer spooler found on newer Linux and other Unix systems. Versions below LPRng 3.6.24-1 are vulnerable.
A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7.
A buffer overflow exists in the in.lpd program, part of the Solaris 6,7, and 8 systems.
By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root.
LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers. In testing this has been exploited to remotely elevate privileges.
On Sparc, the netpr exploits will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.
On all Solaris 2.6, 2.7, and 2.8 platforms, the unpatched in.lpd is also vulnerable to a buffer overflow attack resulting in remote root privileges.
Patches are available for LPRng from most Linux vendors. Upgrade or patch to a non-vulnerable version.
Refer to to www.sun.com for relevant patches.
Securityfocus Security Advisory bid 1712