-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Rene Ritzen Index : S-96-67 Distribution : World Page : Classification: External Version: Subject : LPR buffer overrun vuln. in BSD based sw Date : 26-Nov-96 =============================================================================== By courtesy of AUSCERT, the Australian CERT, we received information on a vulnerability in the BSD based printing software, lpr, available on a variety of Unix platforms. This information is made publicly available by AUSCERT advisory AA-96.12, dated 26 Nov 1996. CERT-NL recommends installation of the below mentioned patches or, if no patches are available, the workaround. Keywords: lpr, root, =============================================================================== AA-96.12 AUSCERT Advisory lpr buffer overrun vulnerability 26 November 1996 Last Revised: 26 November 1996 Minor change to comments in lpr_wrapper program. - - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the BSD based printing software, lpr, available on a variety of Unix platforms. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. - - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the BSD based lpr printing package found on many Unix systems. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges. When lpr is setuid root it may allow intruders to run arbitrary commands with root privileges. This vulnerability is currently known to affect versions of lpr distributed with: BSD/OS FreeBSD 2.x Linux More details may be found in Section 3.1. Other platforms using the BSD based lpr systems, in which lpr is installed setuid or setgid, may also be vulnerable. This advisory will be updated as more information becomes available. Note that the vulnerability described in this advisory is not present in the LPRng printing package. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution The lpr printing package is available on many different systems. As vendor patches are made available sites are encouraged to install them (Section 3.1). Until vendor patches are available, AUSCERT recommends that sites apply the workaround given in Section 3.2. 3.1 Install vendor patches Specific vendor information has been placed in Appendix A. If the BSD based lpr printing software is used and your vendor is not listed in Appendix A, AUSCERT recommends that sites contact vendors directly for more information. If vendor patches are not currently available, vulnerable sites are encouraged to apply the workaround given in Section 3.2. 3.2 Install lpr wrapper AUSCERT has developed a wrapper to help prevent lpr being exploited using this vulnerability. This wrapper, including installation instructions, can be found in Appendix B. AUSCERT recommends that until vendor patches can be installed, sites apply this workaround. ........................................................................... Appendix A Vendor information The following information regarding this vulnerability for specific vendor versions of lpr has been made available to AUSCERT. For additional information, sites should contact their vendors directly. BSD/OS - - ------ BSDI have issued a patch which addresses this vulnerability under BSD/OS 2.1. This patch is available from: ftp://ftp.bsdi.com/pub/bsdi/patches/patches-2.1/U210-028 FreeBSD - - ------- The FreeBSD security team have released an advisory describing this vulnerability and patch information for FreeBSD 2.x. This advisory (SA-96.18) is available from: ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:18.lpr.asc Patches can be found in the directory: ftp://freebsd.org/pub/CERT/patches/SA-96:18 IBM Corporation - - --------------- AIX is not vulnerable to the lpr buffer overflow. The version of lpr shipped with AIX is not installed with the setuid bit turned on. IBM and AIX are registered trademarks of International Business Machines Corporation. Linux - - ----- The Linux Emergency Response Team have released a Linux Security FAQ Update which addresses this vulnerability. This Update contains information regarding various Linux distributions. It is available from: ftp://bach.cis.temple.edu/pub/Linux/Security/FAQ/updates/ Update-11-25-1996.vulnerability-lpr-0.06-v1.2 ........................................................................... Appendix B lpr wrapper /* * lpr_wrapper.c -- wrap lpr to prevent a command line buffer overrun * * This wrapper is part of AUSCERT Advisory AA-96.12. The latest * version of this advisory is available from: * * ftp://ftp.auscert.org.au/pub/auscert/advisory/ * AA-96.12.lpr.buffer.overrun.vul * * This program is designed to be an interim relief measure * until official vendor patches are made available. * * * Author: AUSCERT * Prentice Centre * The University of Queensland * Qld. 4072. * Australia. * * auscert@auscert.org.au * * DISCLAIMER: The use of this program is at your own risk. It is * designed to combat a particular vulnerability, and may * not combat other vulnerabilities, either past or future. * The decision to use this program is yours, as are the * consequences of its use. * * This program is designed to be an interim relief measure * until appropriate patches can be obtained from your vendor. * * * Installation instructions * ~~~~~~~~~~~~~~~~~~~~~~~~~ * * 1. su to root * * 2. Determine the location of lpr. On FreeBSD and Linux systems it * is located in /usr/bin/. For example purposes only, /usr/bin/ * will be used in following instructions for the location of lpr. * * 3. Determine the permissions, owner, and group of lpr. This * information will be used later. For example: * * # ls -lg /usr/bin/lpr * * If lpr does not have setuid or setgid permissions, the installation * of this wrapper program is not necessary. The version of lpr * in this case does not contain the vulnerability described in * this advisory. * * 4. Copy the real lpr program to lpr.real, and then change the * permissions on it. * * # cd /usr/bin * # cp lpr lpr.real * # chmod 711 lpr.real * * 5. Edit this wrapper program and define REAL_LPR. By default, * REAL_LPR is defined as "/usr/bin/lpr.real". This should be * an absolute pathname. * * 6. Compile this program in a directory other than /usr/bin. * For example to use /usr/local/src, first copy this file into * /usr/local/src. * * # cd /usr/local/src * # cc -o lpr lpr_wrapper.c * * If you wish error messages to be logged by syslog when * arguments that may exploit the buffer overrun vulnerability * are passed to lpr, add -DSYSLOG to the compile time options. * * # cc -DSYSLOG -o lpr lpr_wrapper.c * * 7. Copy this new wrapper program into the directory originally * containing lpr. This will replace the existing lpr program. * * Make sure this directory and its parent directories are protected so * only root is able to make changes to files in the directory. * * Use the information found in step #3 and set the same * owner, group, permissions and privileges on the new lpr program. * * For example: * * # cp lpr /usr/bin * # cd /usr/bin * # chown root lpr * # chgrp daemon lpr * # chmod 6711 lpr * * Check that the owner, group, permissions and privileges exactly * match those noted in step #3. * * # ls -lg /usr/bin/lpr * * Users will not be able to print during the time when the * wrapper is copied into place until the chmod command has been * executed. * * 8. Check that printing still works! * */ static char Version[] = "lpr_wrapper V1.0 26-Nov-1996"; #include #include /* * Make sure REAL_LPR points to the location you copied lpr to in * step #4. */ #define REAL_LPR "/usr/bin/lpr.real" main(argc,argv,envp) int argc; char *argv[]; char *envp[]; { int ct; for (ct=1;ct BUFSIZ) { fprintf(stderr,"You have exceeded the argument length ...Exiting\n"); #ifdef SYSLOG syslog(LOG_ERR,"Possible lpr buffer overrun attack by uid %d\n",getuid()); #endif exit(1); } } execve(REAL_LPR,argv,envp); perror("execve lpr failed"); } ........................................................................... - - --------------------------------------------------------------------------- AUSCERT thanks Alexander O. Yuriev, the FreeBSD security team, IBM, and the CERT/CC for their assistance in the production of this advisory. - - --------------------------------------------------------------------------- ============================================================================= CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.i iQCVAgUBMprhOGL2fnkJN/jpAQGOqAP/VJc/o4oDUebx1aF1yWo6ifFpRJEpyUlm S4gl9jBccDXUPrZpVUNYJ7H16+lOxGz85i03nJ7+Vd/kgqCrbOXrYyQrkmIX/vcG E4Q3S4V2U3sK//BFNCq7QIRgpqWyZmk/ApaPpqeBv4G42Z7WhSv5xCkPhn+y9bSE XcNhJXi5AuI= =ecQC -----END PGP SIGNATURE-----