From eric_fisch@tds.com Mon May 12 12:08:57 1997 Date: Mon, 12 May 1997 09:26:46 -0500 From: Eric Fisch To: calder@tds.com, mike_prosser@tds.com, brian_martin@tds.com Subject: Solaris Vulnerability Gentlemen, the following advisory will be released tomorrow at noon. This is a heads up warning! Please do not redistribute before then. Eric -------------------- --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the lp print service under Solaris 2.4, 2.5 and 2.5.1. Earlier versions of Solaris may also be vulnerable. This vulnerability may allow local users to gain lp privileges. This may be leveraged to gain root privileges. Exploit information involving this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the Solaris 2.x lp print service. The lp print service is used to print files on local and remote printers. This problem is known to be present in the lp print service distributed with Solaris 2.4, 2.5 and 2.5.1. Earlier versions of Solaris may also be vulnerable. Due to a problem with insecure file creation, it is possible to force the lp print service to create, or overwrite arbitrary files with the privileges of the lp user. This may be leveraged to gain root privileges. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may create arbitrary files as the lp user. This may be leveraged to gain root access. 3. Workarounds/Solution AUSCERT recommends that sites prevent the exploitation of this vulnerability in the lp print service by immediately applying the workaround given in Section 3.1. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that official vendor patches be installed when they are made available. 3.1 Modify lp configuration To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends applying the following steps: 1. su to root 2. Before continuing, all printing services must be stopped. # /etc/init.d/lp stop Print services stopped. 3. The file /etc/init.d/lp needs to be edited to set the umask for this service to 022. Files created by lp will now inherit this umask and not be created as world writable. Using your favorite editor, edit the file /etc/init.d/lp and change the line state=$1 to umask 022 state=$1 4. The original log files may have been created with insecure permission settings, therefore containing information that cannot be trusted. Its best to rename or remove these files. The files will be re-created by lp with the correct permissions after the printing service is re-started. # mv -i /var/lp/logs/lpNet /var/lp/logs/lpNet.previous # mv -i /var/lp/logs/lpsched /var/lp/logs/lpsched.previous # mv -i /var/lp/logs/requests /var/lp/logs/requests.previous 5. Change the default location of the temporary files to /var/lp/ # echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postio - # echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postior - 6. Re-start printing services: # /etc/init.d/lp start Print services started. --------------------------------------------------------------------------- Eric A. Fisch, Ph.D. Trident Data Systems eric_fisch@tds.com 613 NW Loop 410, Ste. 100 Phone: +1 210.344.3200 San Antonio, Texas 78216 ---------------------------------------------------------------------------