Printer Version


Summary

A buffer overflow exists in the LPRng printer spooler found on newer Linux and other Unix systems. Versions below LPRng 3.6.24-1 are vulnerable.

A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7.

A buffer overflow exists in the in.lpd program, part of the Solaris 6,7, and 8 systems.

The problem

By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root.

LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers. In testing this has been exploited to remotely elevate privileges.

On Sparc, the netpr exploits will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.

On all Solaris 2.6, 2.7, and 2.8 platforms, the unpatched in.lpd is also vulnerable to a buffer overflow attack resulting in remote root privileges.

Fix

Patches are available for LPRng from most Linux vendors. Upgrade or patch to a non-vulnerable version.

Refer to to www.sun.com for relevant patches.

Reference(s):

Securityfocus Security Advisory bid 1712

Securityfocus Security Advisory bid 1200

Securityfocus Security Advisory bid 2894