__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN lpr Buffer Overrun Vulnerability November 26, 1996 23:00 GMT Number H-08 ______________________________________________________________________________ PROBLEM: Insufficient bounds checking on arguments makes it possible to overwrite the internal stack space of the lpr program. PLATFORM: The vulnerability exists in the BSD based lpr printing package found on a variety of Unix platforms. DAMAGE: Local users may gain root privileges. SOLUTION: Install vendor patches as recommended below. If vendor patches are unavailable, CIAC recommends that you install the lpr wrapper provided by AUSCERT. ______________________________________________________________________________ VULNERABILITY Exploit information involving this vulnerability has been made ASSESSMENT: publicly available. ______________________________________________________________________________ [ Start AUSCERT Advisory ] =========================================================================== AA-96.12 AUSCERT Advisory lpr buffer overrun vulnerability 26 November 1996 Last Revised: 26 November 1996 Minor change to comments in lpr_wrapper program. ---------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the BSD based printing software, lpr, available on a variety of Unix platforms. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. ---------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the BSD based lpr printing package found on many Unix systems. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges. When lpr is setuid root it may allow intruders to run arbitrary commands with root privileges. This vulnerability is currently known to affect versions of lpr distributed with: BSD/OS FreeBSD 2.x Linux More details may be found in Section 3.1. Other platforms using the BSD based lpr systems, in which lpr is installed setuid or setgid, may also be vulnerable. This advisory will be updated as more information becomes available. Note that the vulnerability described in this advisory is not present in the LPRng printing package. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution The lpr printing package is available on many different systems. As vendor patches are made available sites are encouraged to install them (Section 3.1). Until vendor patches are available, AUSCERT recommends that sites apply the workaround given in Section 3.2. 3.1 Install vendor patches Specific vendor information has been placed in Appendix A. If the BSD based lpr printing software is used and your vendor is not listed in Appendix A, AUSCERT recommends that sites contact vendors directly for more information. If vendor patches are not currently available, vulnerable sites are encouraged to apply the workaround given in Section 3.2. 3.2 Install lpr wrapper AUSCERT has developed a wrapper to help prevent lpr being exploited using this vulnerability. This wrapper, including installation instructions, can be found in Appendix B. AUSCERT recommends that until vendor patches can be installed, sites apply this workaround. ----------------------------------------------------------------------------- Appendix A Vendor information The following information regarding this vulnerability for specific vendor versions of lpr has been made available to AUSCERT. For additional information, sites should contact their vendors directly. BSD/OS ------ BSDI have issued a patch which addresses this vulnerability under BSD/OS 2.1. This patch is available from: ftp://ftp.bsdi.com/pub/bsdi/patches/patches-2.1/U210-028 FreeBSD ------- The FreeBSD security team have released an advisory describing this vulnerability and patch information for FreeBSD 2.x. This advisory (SA-96.18) is available from: ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96:18.lpr.asc Patches can be found in the directory: ftp://freebsd.org/pub/CERT/patches/SA-96:18 IBM Corporation --------------- AIX is not vulnerable to the lpr buffer overflow. The version of lpr shipped with AIX is not installed with the setuid bit turned on. IBM and AIX are registered trademarks of International Business Machines Corporation. Linux ----- The Linux Emergency Response Team have released a Linux Security FAQ Update which addresses this vulnerability. This Update contains information regarding various Linux distributions. It is available from: ftp://bach.cis.temple.edu/pub/Linux/Security/FAQ/updates/ Update-11-25-1996.vulnerability-lpr-0.06-v1.2 --------------------------------------------------------------------------- Appendix B lpr wrapper /* * lpr_wrapper.c -- wrap lpr to prevent a command line buffer overrun * * This wrapper is part of AUSCERT Advisory AA-96.12. The latest * version of this advisory is available from: * * ftp://ftp.auscert.org.au/pub/auscert/advisory/ * AA-96.12.lpr.buffer.overrun.vul * * This program is designed to be an interim relief measure * until official vendor patches are made available. * * * Author: AUSCERT * Prentice Centre * The University of Queensland * Qld. 4072. * Australia. * * auscert@auscert.org.au * * DISCLAIMER: The use of this program is at your own risk. It is * designed to combat a particular vulnerability, and may * not combat other vulnerabilities, either past or future. * The decision to use this program is yours, as are the * consequences of its use. * * This program is designed to be an interim relief measure * until appropriate patches can be obtained from your vendor. * * * Installation instructions * ~~~~~~~~~~~~~~~~~~~~~~~~~ * * 1. su to root * * 2. Determine the location of lpr. On FreeBSD and Linux systems it * is located in /usr/bin/. For example purposes only, /usr/bin/ * will be used in following instructions for the location of lpr. * * 3. Determine the permissions, owner, and group of lpr. This * information will be used later. For example: * * # ls -lg /usr/bin/lpr * * If lpr does not have setuid or setgid permissions, the installation * of this wrapper program is not necessary. The version of lpr * in this case does not contain the vulnerability described in * this advisory. * * 4. Copy the real lpr program to lpr.real, and then change the * permissions on it. * * # cd /usr/bin * # cp lpr lpr.real * # chmod 711 lpr.real * * 5. Edit this wrapper program and define REAL_LPR. By default, * REAL_LPR is defined as "/usr/bin/lpr.real". This should be * an absolute pathname. * * 6. Compile this program in a directory other than /usr/bin. * For example to use /usr/local/src, first copy this file into * /usr/local/src. * * # cd /usr/local/src * # cc -o lpr lpr_wrapper.c * * If you wish error messages to be logged by syslog when * arguments that may exploit the buffer overrun vulnerability * are passed to lpr, add -DSYSLOG to the compile time options. * * # cc -DSYSLOG -o lpr lpr_wrapper.c * * 7. Copy this new wrapper program into the directory originally * containing lpr. This will replace the existing lpr program. * * Make sure this directory and its parent directories are protected so * only root is able to make changes to files in the directory. * * Use the information found in step #3 and set the same * owner, group, permissions and privileges on the new lpr program. * * For example: * * # cp lpr /usr/bin * # cd /usr/bin * # chown root lpr * # chgrp daemon lpr * # chmod 6711 lpr * * Check that the owner, group, permissions and privileges exactly * match those noted in step #3. * * # ls -lg /usr/bin/lpr * * Users will not be able to print during the time when the * wrapper is copied into place until the chmod command has been * executed. * * 8. Check that printing still works! * */ static char Version[] = "lpr_wrapper V1.0 26-Nov-1996"; #include #include /* * Make sure REAL_LPR points to the location you copied lpr to in * step #4. */ #define REAL_LPR "/usr/bin/lpr.real" main(argc,argv,envp) int argc; char *argv[]; char *envp[]; { int ct; for (ct=1;ct BUFSIZ) { fprintf(stderr,"You have exceeded the argument length ...Exiting\n"); #ifdef SYSLOG syslog(LOG_ERR,"Possible lpr buffer overrun attack by uid %d\n",getuid()); #endif exit(1); } } execve(REAL_LPR,argv,envp); perror("execve lpr failed"); } ---------------------------------------------------------------------------- AUSCERT thanks Alexander O. Yuriev, the FreeBSD security team, IBM, and the CERT/CC for their assistance in the production of this advisory. ---------------------------------------------------------------------------- [ End AUSCERT Advisory ] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of AUSCERT and others for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) G-45: Vulnerability in HP VUE G-46: Vulnerabilities in Transarc DCE and DFS G-47: Unix FLEXlm Vulnerabilities G-48: TCP SYN Flooding and IP Spoofing Attacks H-01: Vulnerabilities in bash H-02: SUN's TCP SYN Flooding Solutions H-03: HP-UX_suid_Vulnerabilities H-04: HP-UX Ping Vulnerability H-05: Internet Hoaxes H-07: Sendmail SIGHUP-smtpd Vulnerability RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) Notes 07 - 3/29/95 A comprehensive review of SATAN Notes 08 - 4/4/95 A Courtney update Notes 09 - 4/24/95 More on the "Good Times" virus urban legend Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability in S/Key, EBOLA Virus Hoax, and Caibua Virus Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, America On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows, beta release of Merlin, Microsoft Word Macro Viruses, Allegations of Inappropriate Data Collection in Win95 Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST Conference Announcement, Security and Web Search Engines, Microsoft Word Macro Virus Update