CERT® Advisory CA-2001-30 Multiple Vulnerabilities in lpd
Systems Affected
BSDi BSD/OS Version 4.1 and earlier
Debian GNU/Linux 2.1 and 2.1r4
FreeBSD All released versions
FreeBSD 4.x, 3.x, FreeBSD 4.3-STABLE, 3.5.1-STABLE prior to the correction date
Hewlett-Packard HP9000 Series 700/800 running HP-UX releases 10.01, 10.10, 10.20,
11.00, and 11.11
IBM AIX Versions 4.3 and AIX 5.1
Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
NetBSD 1.5.2 and earlier
OpenBSD Version 2.9 and earlier
Red Hat Linux 6.0 all architectures
SCO OpenServer Version 5.0.6a and earlier
SGI IRIX 6.5-6.5.13
Sun Solaris 8 and earlier
SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
Overview
There are multiple vulnerabilities in several implementations of the line printer daemon (lpd). The line printer daemon enables various clients to share printers over a network. Review your configuration to be sure you have applied all relevant patches. We also encourage you to restrict access to the lpd service to only authorized users.
There are multiple vulnerabilities in several implementations of
the line printer daemon (lpd), affecting several systems. Some of
these problems have been publicly disclosed previously. However, we
believe many system and network administrators may have overlooked one
or more of these vulnerabilities. We are issuing this document
primarily to encourage system and network administators to check their
systems for exposure to each of these vulnerabilities, even if they
have addressed some lpd vulnerabilities recently.
Most of these vulnerabilities are buffer overflows allowing a
remote intruder to gain root access to the lpd server. For the latest
and most detailed information about the known vulnerabilities, please
see the vulnerability notes linked to below.
VU#274043 - BSD line printer daemon buffer overflow in displayq()
There is a buffer overflow in several implementations of in.lpd, a BSD
line printer daemon. An intruder can send a specially crafted print job
to the target and then request a display of the print queue to trigger
the buffer overflow. The intruder may be able use this overflow to
execute arbitrary commands on the system with superuser privileges.
The line printer daemon must be enabled and configured properly in order
for an intruder to exploit this vulnerability. This is, however, trivial
as the line printer daemon is commonly enabled to provide printing
functionality. In order to exploit the buffer overflow, the intruder must
launch his attack from a system that is listed in the "/etc/hosts.equiv"
or "/etc/hosts.lpd" file of the target system.
VU#388183 - IBM AIX line printer daemon buffer overflow in kill_print()
A buffer overflow exists in the kill_print() function of the line printer
daemon (lpd) on AIX systems. An intruder could exploit this vulnerability
to obtain root privileges or cause a denial of service (DoS). The
intruder would need to be listed in the victim's /etc/hosts.lpd or
/etc/hosts.equiv file, however, to exploit this vulnerability.
VU#722143 - IBM AIX line printer daemon buffer overflow in send_status()
A buffer overflow exists in the send_status() function of the line
printer daemon (lpd) on AIX systems. An intruder could exploit this
vulnerability to obtain root privileges or cause a denial of service
(DoS). The intruder would need to be listed in the victim's
/etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this
vulnerability.
VU#466239 - IBM AIX line printer daemon buffer overflow in chk_fhost()
A buffer overflow exists in the chk_fhost() function of the line printer
daemon (lpd) on AIX systems. An intruder could exploit this vulnerability
to obtain root privileges or cause a denial of service (DoS). The
intruder would need control of the DNS server to exploit this
vulnerability.
VU#39001 - line printer daemon allows options to be passed to sendmail
There exists a vulnerability in the line printer daemon that permits an
intruder to send options to sendmail. These options could be used to
specify another configuration file, allowing an intruder to gain root
access.
VU#30308 - line printer daemon hostname authentication bypassed with spoofed DNS
A vulnerability exists in the line printer daemon (lpd) shipped with
the printer package for several systems. The authentication method was
not thorough enough. If a remote user was able to control their own
DNS so that their IP address resolved to the hostname of the print
server, access would be granted when it should not be.
VU#966075 - Hewlett-Packard HP-UX line printer daemon buffer overflow
A buffer overflow exists in HP-UX's line printer daemon (rlpdaemon)
that may allow an intruder to execute arbitrary code with superuser
privilege on the target system. The rlpdaemon is installed by default
and is active even if it is not being used. An intruder does not need
any prior knowledge, or privileges on the target system, in order to
exploit this vulnerability.
All of these vulnerabilities can be exploited remotely. In most cases,
they allow an intruder to execute arbitrary code with the privileges
of the lpd server. In some cases, an intruder must have access to a
machine listed in /etc/hosts.equiv or /etc/hosts.lpd, and in some
cases, an intruder must be able to control a nameserver.
One vulnerability (VU#39001) allows you to
specify options to sendmail that can be used to execute arbitrary
commands. Ordinarily, this vulnerability is only exploitable from
machines that are authorized to use the lpd server. However, in
conjunction with another vulnerability (VU#30308), permitting
intruders to gain access to the lpd service, this vulnerability can be
used by intruders not normally authorized to use the lpd service.
For specific information about the impacts of each of these
vulnerabilities, please consult the CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls).
Apply a patch from your vendor
Appendix A contains information provided by
vendors for this advisory. As vendors report new information to the
CERT/CC, we will update this section and note the changes in our revision
history. If a particular vendor is not listed below, we have not
received their comments. Please contact your vendor directly.
This table represents the status of each vendor with regard to each
vulnerability. Please be aware that vendors produce multiple products; if
they are listed in this table, not all products may be affected. If a
vendor is not listed in the table below, then their status should be
considered unknown. For specific information about the status of each of
these vulnerabilities, please consult the CERT Vulnerability Notes
Database (http://www.kb.cert.org/vuls).
VU#274043
VU#388183
VU#722143
VU#466239
VU#39001
VU#30308
VU#966075
Vendors Affected
Berkeley Software Design, Inc. (BSDI)
FreeBSD
NetBSD
OpenBSD
SCO
SGI
SuSE
IBM
IBM
IBM
Debian
Mandrake
Red Hat
Sun
Debian
IBM
Red Hat
Hewlett-Packard
Vendors Not Affected
Apple
Caldera
Engarde
Fujitsu
IBM
Sun
Caldera
Cray
Engarde
FreeBSD
Fujitsu
Sun
Caldera
Cray
Engarde
FreeBSD
Fujitsu
Sun
Caldera
Cray
Engarde
FreeBSD
Fujitsu
Sun
Caldera
Cray
Engarde
FreeBSD
Fujitsu
IBM
Caldera
Engarde
FreeBSD
Fujitsu
Sun
Apple
Caldera
Cray
Engarde
FreeBSD
Fujitsu
IBM
Sun
Restrict access to the lpd service
As a general practice, we recommend disabling all services that are
not explicitly required. You may wish to disable the line printer
daemon if there is not a patch available from your vendor.
If you cannot disable the service, you can limit your exposure to
these vulnerabilities by using a router or firewall to restrict access
to port 515/TCP (printer). Note that this does not protect you against
attackers from within your network.
The entire advisory is here, and you should read it if you require more vendor specific information.
