From create@SECUREREALITY.COM.AU Wed Dec 6 16:17:35 2000 From: Secure Reality Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 7 Dec 2000 00:09:52 +1100 Subject: [BUGTRAQ] (SRADV00007) Local root compromise through Lexmark MarkVision printer drivers [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ================================================= Secure Reality Pty Ltd. Security Advisory #7 (SRADV00007) http://www.securereality.com.au ================================================= [Title] Local root compromise through Lexmark MarkVision printer drivers [Released] 6/11/2000 [Vulnerable] Versions below 4.4 (Specifically the MarkVision drivers package for Unix. Other Lexmark drivers, e.g Windows drivers, are not part of MarkVision) [Overview] MarkVision is a printer administration package from Lexmark. In addition to software to remotely administer printers it also provides printer drivers for a wide variety of printers for various flavours of Unix. Several of the utilities that make up the Unix printer drivers contain command line buffer overflows. As some of these utilities are installed setuid root, a local attacker can trivially exploit the vulnerabilities to execute arbitrary code as root. [Impact] Local root compromise [Detail] We successfully exploited command line overflows against the following setuid root programs: - /usr/local/lexmark/markvision/bin/cat_network - Heap oveflow - /usr/local/lexmark/markvision/bin/cat_parallel - Stack overflow - /usr/local/lexmark/markvision/bin/cat_serial - Stack overflow We tested our exploits on the Linux version of the drivers under Redhat 6.2. Obviously the stack overflows at least should be exploitable on all the other platforms the drivers are available for, the heap overflow may not be, we have not tested either case. [Fix] Please upgrade to the latest version of the MarkVision drivers (4.4) at ftp://ftp.lexmark.com/pub/driver/unix/MarkVision/V4.4 [Acknowledgements] While Lexmark did provide a fix for the problem after we disclosed it to them, they weren't particularly cooperative or speedy in doing so [Disclaimer] Advice, directions and instructions on security vulnerabilities in this advisory do not constitute: an endorsement of illegal behavior; a guarantee that protection measures will work; an endorsement of any product or solution or recommendations on behalf of Secure Reality Pty Ltd. Content is provided as is and Secure Reality Pty Ltd does not accept responsibility for any damage or injury caused as a result of its use.