[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[irix-security] remote root exploit due to bugs in lpd

To: irix-security@sfu.ca
Subject: [irix-security] remote root exploit due to bugs in lpd
From: Martin Siegert <siegert@sfu.ca>
Date: Thu, 17 Jan 2002 18:57:34 -0800
User-Agent: Mutt/1.2.5.1i

Topic
=====
buffer overflows in lpd and lpsched can lead to a remote root exploit.

Problem Description
===================
lpd vulnerabilities:
A buffer overflow in the BSD-based line printer daemons (lpd) may allow a
remote or local attacker to crash the daemon or execute arbitrary code with
super user privilege. Although lpd is part of the IRIX print.sw.bsdlpr
system and is not installed by default, if it is installed it
runs with root privileges by default on all current IRIX
versions.

lpsched vulnerabilities:
Bugs in the lpsched program allow remote attackers with sufficient
control of their remote network to obtain 'root' and 'lp'
privileges remotely. lpsched is installed by default on all
current IRIX versions.

lpstat vulnerabilities:

A vulnerability in the lpstat command in the way it loads and executes code
from user supplied net-type shared library objects. When appropriately
exploited it can lead to a local root compromise on a
vulnerable system. lpstat is installed by default on all
current IRIX versions.

lpsched and lpstat are installed by default on IRIX.

lpd is part of the optional print.sw.bsdlpr subsystem and is not
installed by default on IRIX.

A local user account on the vulnerable system is not required
in order to exploit these vulnerabilities.  Vulnerable systems
can be exploited remotely over an untrusted network.

These vulnerabilities can lead to a root compromise.

Workaround
==========
Disable printing and uninstall the printer daemon:
1) Become the root user on the system.

                % /bin/su -
                Password:
                #


2) Stop the printing services

                # /etc/init.d/bsdlpr stop
                # /etc/init.d/lp stop


3) Use the "versions" command to remove the printing
subsystems:

                # versions remove print.sw.*

Solution
========
Apply patches supplied by SGI immediately.

   OS Version     Vulnerable?     Patch #
   ----------     -----------     -------
   IRIX 6.5          yes           4381
   IRIX 6.5.1        yes           4381
   IRIX 6.5.2m       yes           4381
   IRIX 6.5.2f       yes           4382
   IRIX 6.5.3m       yes           4381
   IRIX 6.5.3f       yes           4382
   IRIX 6.5.4m       yes           4381
   IRIX 6.5.4f       yes           4382
   IRIX 6.5.5m       yes           4381
   IRIX 6.5.5f       yes           4382
   IRIX 6.5.6m       yes           4381
   IRIX 6.5.6f       yes           4382
   IRIX 6.5.7m       yes           4381
   IRIX 6.5.7f       yes           4382
   IRIX 6.5.8m       yes           4381
   IRIX 6.5.8f       yes           4382
   IRIX 6.5.9m       yes           4381
   IRIX 6.5.9f       yes           4382
   IRIX 6.5.10m      yes           4381
   IRIX 6.5.10f      yes           4382
   IRIX 6.5.11m      yes           4381
   IRIX 6.5.11f      yes           4382
   IRIX 6.5.12m      yes           4381
   IRIX 6.5.12f      yes           4382
   IRIX 6.5.13m      yes           4381
   IRIX 6.5.13f      yes           4382
   IRIX 6.5.14m      no
   IRIX 6.5.14f      no


SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

The actual patch will be a tar file patch<patch#>.tar
Untar that file in an appropriate directory (I am using /usr/local/src/dist),
start swmgr and enter that directory name in the "Available Software" box.

Prev by Date: [irix-security] IRIX IGMP vulnerability
Next by Date: [irix-security] Multiple Local Sendmail Vulnerabilities
Prev by thread: [irix-security] Multiple Local Sendmail Vulnerabilities
Next by thread: [irix-security] IRIX IGMP vulnerability
Index(es):
- Date
- Thread