-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-97.15 AUSCERT Advisory Solaris 2.x lp temporary files creation vulnerability 13 May 1997 Last Revised: -- - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the lp print service under Solaris 2.4, 2.5 and 2.5.1. Earlier versions of Solaris may also be vulnerable. This vulnerability may allow local users to gain lp privileges. This may be leveraged to gain root privileges. Exploit information involving this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the Solaris 2.x lp print service. The lp print service is used to print files on local and remote printers. This problem is known to be present in the lp print service distributed with Solaris 2.4, 2.5 and 2.5.1. Earlier versions of Solaris may also be vulnerable. Due to a problem with insecure file creation, it is possible to force the lp print service to create, or overwrite arbitrary files with the privileges of the lp user. This may be leveraged to gain root privileges. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may create arbitrary files as the lp user. This may be leveraged to gain root access. 3. Workarounds/Solution AUSCERT recommends that sites prevent the exploitation of this vulnerability in the lp print service by immediately applying the workaround given in Section 3.1. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that official vendor patches be installed when they are made available. 3.1 Modify lp configuration To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends applying the following steps: 1. su to root 2. Before continuing, all printing services must be stopped and the printing queue emptied. To reject any new jobs to the printing queue use the command: # /usr/sbin/reject printer_queue and wait until the printing queue is emptied. To stop the print service use the command: # /etc/init.d/lp stop Print services stopped. 3. The file /etc/init.d/lp needs to be edited to set the umask for this service to 022. Files created by lp printing service will now inherit this umask and not be created as world writable. Using your favorite editor, edit the file /etc/init.d/lp and change the line state=$1 to umask 022 state=$1 4. The original log files may have been created with insecure permission settings, therefore containing information that cannot be trusted. Its best to rename or remove these files. The files will be re-created by lp printing service with the correct permissions after the printing service is re-started. Before executing the following commands make sure that there are no jobs pending on the queue. # mv -i /var/lp/logs/lpNet /var/lp/logs/lpNet.previous # mv -i /var/lp/logs/lpsched /var/lp/logs/lpsched.previous # mv -i /var/lp/logs/requests /var/lp/logs/requests.previous 5. Change the default location of the temporary files to /var/lp/ # echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postio - # echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postior - 6. Re-start printing services: # /etc/init.d/lp start Print services started. 7. If you used the command reject on step 2, use the following command to allow printing queue to be re-enabled: # /usr/sbin/accept printer_queue - --------------------------------------------------------------------------- AUSCERT thanks Sun Microsystems for their assistance in this matter. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team Prentice Centre Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM3nt+ih9+71yA2DNAQFslgP+IliYKNQHBIKn2hGHCC9oJ2+C5IypfE/R qwtVinyo7xDCtdIMH09F9HkwPfJiIojGrIg8dBu+bB+mDggq40N6pr7c9yDdgTw4 rX9JMlpX5VgHZqSJrOtLUh5KBek51SiHNHttgfG7kI+udgIhAYTKpeNEPSo9KVrn sOy57uNooRM= =NiwL -----END PGP SIGNATURE-----