MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCIFREEBSD:112696:01:P1R1 Report Date: 11/26/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ---------------------------------------------------------------------------- --- -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:18 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in lpr Category: core Module: lpr Announced: 1996-11-25 Affects: FreeBSD 2.* Corrected: FreeBSD-current as of 1996/10/27 FreeBSD-stable as of 1996/11/01 FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:18/ ============================================================================= I. Background The lpr program is used to print files. It is standard software in the FreeBSD operating system. This advisory is based on AUSCERT's advisory AA-96.12. The FreeBSD security-officers would like to thank AUSCERT for their efforts. II. Problem Description Due to its nature, the lpr program is setuid root. Unfortunately, the program does not do sufficient bounds checking on arguments which are supplied by users. As a result it is possible to overwrite the internal stack space of the program while it's executing. This can allow an intruder to execute arbitrary code by crafting a carefully designed argument to lpr. As lpr runs as root this allows intruders to run arbitrary commands as root. III. Impact Local users can gain root privileges. IV. Workaround AUSCERT has developed a wrapper to help prevent lpr being exploited using this vulnerability. This wrapper, including installation instructions, can be found in ftp://ftp.auscert.org.au/pub/auscert/advisory/ AA-96.12.lpr.buffer.overrun.vul V. Solution Apply one of the following patches. Patches are provided for FreeBSD-current (before 1996/10/27) (SA-96:18-solution.current) FreeBSD-2.0.5, FreeBSD-2.1.0, FreeBSD-2.1.5 and FreeBSd-stable (before 1996/11/01) (SA-96:18-solution.2xx) Patches can be found on ftp://freebsd.org/pub/CERT/patches/SA-96:18 ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMpn2wlUuHi5z0oilAQGjhgP/XON+ydyxEm2eiY87pmdLhlF3Qwz//YRB MtoVrr2PffZ4FKXCcpQbG30F9AYDL0ZD19Uo89g8rzOfKhhwanFdvixqoGAr15h0 jyLdLv0YoStbehBuyMUHebUplctYmTpHskz0Zhv0OOVtlUuCgh0Y2V4WfZI6RVsu 0B3ZMw8JRQo= =cw23 -----END PGP SIGNATURE----- ===============================================================