BSD lpd vulnerability
Updated 12/6/01
CAN 1999-0061
CVE 2001-0670
Impact
A remote user could execute arbitrary code on a properly configured
print server.
Background
BSD Unix operating systems include a Line Printer Daemon
(lpd or in.lpd) which provides
printer service to local and remote users. The printer service transfers
print requests to printers, manages printer queues, and provides
job control functions to users.
The Problem
CVE 2001-0670
Due to a buffer overflow in the part of the code which processes
print requests, a remote attacker could execute arbitrary code on
the server with root privileges by sending a
specially crafted, incomplete print
job to the printer service,
and then requesting a display of the printer queue.
The following operating systems contain a version of lpd
or in.lpd which is affected by this vulnerability:
- OpenBSD 2.9 and earlier1
- FreeBSD 4.3 and earlier
- NetBSD 1.5.1 and earlier
- BSD/OS 4.1 and earlier
- SCO OpenServer 5.0.6a and earlier
- IRIX 6.5 through 6.5.13
- SuSE Linux 6.1 through 7.2
1A second vulnerability affecting OpenBSD
3.0 and earlier could allow an attacker to create arbitrary files in the
root directory.
In order for this vulnerability to be exploited, the following
conditions must exist:
- The printer service must be configured.
- The printer service must be running.
- The attacker's host must be granted permission to use the printer service. The
/etc/hosts.equiv and /etc/hosts.lpd
files contain a list of hosts which are allowed to use the
service.
FreeBSD, OpenBSD, and BSD/OS cannot be exploited in a
default installation because the above conditions do
not exist. However, if the printer service has been turned on
and a configuration file is present and non-empty, they will become vulnerable.
Resolution
If print service is not needed, disable lpd or in.lpd.
This is done by issuing the following command when logged
on as root:
kill -9 <pid>
where <pid> is the process ID. Also, modify the
boot-up scripts so that the print service does not start again
when the machine is rebooted. The format of the boot-up scripts
varies among the different types of BSD Unix, but the scripts
can usually be found in /etc/rc*.
If print service is required, then a patch should be applied
as soon as possible. Check
CERT Advisory 2001-30
for patch information for your operating system. (OpenBSD users should also check for patches
to fix the
second problem.)
It would also be advisable to
allow access only to trusted hosts. This can be done by modifying
the /etc/hosts.equiv and /etc/hosts.lpd
files such that they only contain a list of trusted hosts.
CAN 1999-0061
CVE 1999-0299
Vulnerabilities in very old versions of BSD operating systems
(prior to 1998) may contain other vulnerabilities which could
allow remote access. These operating systems should be upgraded or
lpd should be disabled.
Where can I read more about this?
This vulnerability was reported in
CERT Advisory 2001-30 and
X-Force Alert 94.