-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Niels den Otter Index : S-97-34 Distribution : World Page : 1 Classification: External Version: 1 Subject : Solaris 2.x lp temp files creation vuln. Date : 14-May-97 =============================================================================== By courtesy of AUSCERT we received information on a vulnerability in Solaris 2.x lp print service. This vulnerability is known to be present in the lp print service distributed with Solaris 2.4, 2.5 and 2.5.1. CERT-NL recommends, due to lack of adequate vendor patches, to apply the workarounds provided in section 3. And to install the official vendor patches when they are made available. =========================================================================== AA-97.15 AUSCERT Advisory Solaris 2.x lp temporary files creation vulnerability 13 May 1997 Last Revised: -- - - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the lp print service under Solaris 2.4, 2.5 and 2.5.1. Earlier versions of Solaris may also be vulnerable. This vulnerability may allow local users to gain lp privileges. This may be leveraged to gain root privileges. Exploit information involving this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the Solaris 2.x lp print service. The lp print service is used to print files on local and remote printers. This problem is known to be present in the lp print service distributed with Solaris 2.4, 2.5 and 2.5.1. Earlier versions of Solaris may also be vulnerable. Due to a problem with insecure file creation, it is possible to force the lp print service to create, or overwrite arbitrary files with the privileges of the lp user. This may be leveraged to gain root privileges. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may create arbitrary files as the lp user. This may be leveraged to gain root access. 3. Workarounds/Solution AUSCERT recommends that sites prevent the exploitation of this vulnerability in the lp print service by immediately applying the workaround given in Section 3.1. Currently there are no vendor patches available that address this vulnerability. AUSCERT recommends that official vendor patches be installed when they are made available. 3.1 Modify lp configuration To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends applying the following steps: 1. su to root 2. Before continuing, all printing services must be stopped and the printing queue emptied. To reject any new jobs to the printing queue use the command: # /usr/sbin/reject printer_queue and wait until the printing queue is emptied. To stop the print service use the command: # /etc/init.d/lp stop Print services stopped. 3. The file /etc/init.d/lp needs to be edited to set the umask for this service to 022. Files created by lp printing service will now inherit this umask and not be created as world writable. Using your favorite editor, edit the file /etc/init.d/lp and change the line state=$1 to umask 022 state=$1 4. The original log files may have been created with insecure permission settings, therefore containing information that cannot be trusted. Its best to rename or remove these files. The files will be re-created by lp printing service with the correct permissions after the printing service is re-started. Before executing the following commands make sure that there are no jobs pending on the queue. # mv -i /var/lp/logs/lpNet /var/lp/logs/lpNet.previous # mv -i /var/lp/logs/lpsched /var/lp/logs/lpsched.previous # mv -i /var/lp/logs/requests /var/lp/logs/requests.previous 5. Change the default location of the temporary files to /var/lp/ # echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postio - # echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postior - 6. Re-start printing services: # /etc/init.d/lp start Print services started. 7. If you used the command reject on step 2, use the following command to allow printing queue to be re-enabled: # /usr/sbin/accept printer_queue - - --------------------------------------------------------------------------- AUSCERT thanks Sun Microsystems for their assistance in this matter. - - --------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBM3l9nUU5nQkWIq1FAQEDQwP/Wkqx6acx3K1LY00JfqJrcv/lNcN4i7ws DAFCvHt66aCm4R1iDvJsIu8ClG9RXzR4iqDuy3o1awhXSaEFapJUB+8VCuSAKJeP ovuN3jr05RXTNp5YLibvvVsOlRYyOWiYZi+qLAcLzzPQHs2UIefZi02GovY1VPg8 RArdfEmnH+4= =4G6u -----END PGP SIGNATURE-----