-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-15 Buffer Overflow In Sun Solaris in.lpd Print Daemon

   Original release date: June 29, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Solaris 2.6 for SPARC
     * Solaris 2.6 x86
     * Solaris 7 for SPARC
     * Solaris 7 x86
     * Solaris 8 for SPARC
     * Solaris 8 x86

Overview

   A buffer overflow exists in the Solaris BSD-style line printer daemon,
   in.lpd, that may allow a remote intruder to execute arbitrary code
   with the privileges of the running daemon. This daemon runs with root
   privileges on all default installations of vulnerable Solaris systems
   listed above.

I. Description

   The Solaris in.lpd provides BSD-style services for remote users to
   interact with a local printer, listening for remote requests on port
   515/tcp (printer). There is an unchecked buffer in the part of the
   code responsible for transferring print jobs from one machine to
   another. If given too many jobs to work on at once, the printer daemon
   may crash or allow arbitrary code to be executed with elevated
   privileges on the victim system.

   This problem was discovered by the ISS X-Force who have released an
   advisory:

          http://xforce.iss.net/alerts/advise80.php

   The CERT/CC is releasing this advisory before patches are available to
   alert a broader community of users to this serious problem. Sun has
   suggested several steps system administrators can take in order to
   mitigate the risk this vulnerability represents.

   Sun recommends several workarounds which may be be applied to
   vulnerable systems until production patches are available. These are
   enumerated in the "III. Solution" section of this document.

   Although the CERT/CC has not received any reports of this
   vulnerability being successfully exploited, we do strongly encourage
   all affected system adminsitrators to take one or more of the
   recommended actions in "III. Solution." Such actions have proven
   effective at minimizing the likelihood of being successfully attacked
   using vulnerabilities similar to this one.

II. Impact

   A remote intruder may be able to execute arbitrary code with the
   privileges in the running daemon (typically root). In addition, a
   remote intruder may be able to crash vulnerable printer daemons.

III. Solution


Implement a workaround

   A number of different workaround strategies have been suggested for
   dealing with this problem until patches become available:

     * Disable the print service in /etc/inetd.conf if remote print job
       handling is unnecessary; see the ISS X-Force advisory for
       step-by-step details if needed

     * Enable the noexec_user_stack tunable (although this does not
       provide 100 percent protection against exploitation of this
       vulnerability, it makes the likelihood of a successful exploit
       much smaller). Add the following lines to the /etc/system file and
       reboot:

	 set noexec_user_stack = 1
	 set noexec_user_stack_log = 1

     * Block access to network port 515/tcp (printer) at all appropriate
       network perimeters

     * Deploy tcpwrappers, also available in the tcpd-7.6 package at:

                http://www.sun.com/solaris/freeware.html#cd


Apply patches when available

   Sun is working on patches; they are not yet available. When ready,
   they will be part of the jumbo lp patch set to be released in July
   identified by the following ids:

     * 106235-xx SunOS 5.6 for sparc
     * 106236-xx SunOS 5.6 for x86
     * 107115-xx SunOS 5.7 for sparc
     * 107116-xx SunOS 5.7 for x86
     * 109320-xx SunOS 5.8 for sparc
     * 109321-xx SunOS 5.8 for x86

   Note that the currently-available jumbo lp patches do not fix this
   vulnerability. The in.lpd daemon was not shipped by Sun prior to
   Solaris 2.6.

Appendix B. - References

    1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0353
    2. https://www.kb.cert.org/vuls/484011
    3. http://xforce.iss.net/alerts/advise80.php
    4. http://www.securityfocus.com/bid/2894
    5. http://www.sun.com/security
    6. http://www.sunfreeware.com/notes.html#tcp_wrappers
    7. http://www.sun.com/solaris/freeware.html#cd
    8. http://www.sun.com/software/solutions/blueprints/0601/jass_quick_start-v03.html
     _________________________________________________________________

   The CERT Coordination Center thanks Sun Microsystems for contributing
   to the creation of this advisory.
     _________________________________________________________________

   This document was written by Jeffrey S. Havrilla. If you have feedback
   concerning this document, please send email to:

       mailto:cert@cert.org?Subject=[VU#484011]%20Feedback%20CA-2001-15
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2001-15.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History

June 29, 2001:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOz0FJwYcfu8gsZJZAQHccgP+NpQ2nCDdmtTOY33KO+Dowp0dq2P8fDU1
XKvdm6vL136JUWfRQ2gr531SDcTB1zODH4La+fynccmRNURbDaTzIeipLoopT9E+
pWPLDEnfDEqDieyhe2xGRS5S/Xs3np4orhAaFRo+iDR17wMuT/oNaY2p3DxrBNk2
XfOOp4C/zM4=
=9kyf
-----END PGP SIGNATURE-----