Tutorial - BSD lpd vulnerability

BSD lpd vulnerability

Updated 12/6/01
CAN 1999-0061
CVE 2001-0670

Impact

A remote user could execute arbitrary code on a properly configured print server.

Background

BSD Unix operating systems include a Line Printer Daemon (lpd or in.lpd) which provides printer service to local and remote users. The printer service transfers print requests to printers, manages printer queues, and provides job control functions to users.

The Problem

CVE 2001-0670
Due to a buffer overflow in the part of the code which processes print requests, a remote attacker could execute arbitrary code on the server with root privileges by sending a specially crafted, incomplete print job to the printer service, and then requesting a display of the printer queue. The following operating systems contain a version of lpd or in.lpd which is affected by this vulnerability:

OpenBSD 2.9 and earlier¹
FreeBSD 4.3 and earlier
NetBSD 1.5.1 and earlier
BSD/OS 4.1 and earlier
SCO OpenServer 5.0.6a and earlier
IRIX 6.5 through 6.5.13
SuSE Linux 6.1 through 7.2

¹A second vulnerability affecting OpenBSD 3.0 and earlier could allow an attacker to create arbitrary files in the root directory.

In order for this vulnerability to be exploited, the following conditions must exist:

The printer service must be configured.
The printer service must be running.
The attacker's host must be granted permission to use the printer service. The /etc/hosts.equiv and /etc/hosts.lpd files contain a list of hosts which are allowed to use the service.

FreeBSD, OpenBSD, and BSD/OS cannot be exploited in a default installation because the above conditions do not exist. However, if the printer service has been turned on and a configuration file is present and non-empty, they will become vulnerable.

Resolution

If print service is not needed, disable lpd or in.lpd. This is done by issuing the following command when logged on as root:

kill -9 <pid>

where <pid> is the process ID. Also, modify the boot-up scripts so that the print service does not start again when the machine is rebooted. The format of the boot-up scripts varies among the different types of BSD Unix, but the scripts can usually be found in /etc/rc*.

If print service is required, then a patch should be applied as soon as possible. Check CERT Advisory 2001-30 for patch information for your operating system. (OpenBSD users should also check for patches to fix the second problem.) It would also be advisable to allow access only to trusted hosts. This can be done by modifying the /etc/hosts.equiv and /etc/hosts.lpd files such that they only contain a list of trusted hosts.

CAN 1999-0061
CVE 1999-0299
Vulnerabilities in very old versions of BSD operating systems (prior to 1998) may contain other vulnerabilities which could allow remote access. These operating systems should be upgraded or lpd should be disabled.

Where can I read more about this?

This vulnerability was reported in CERT Advisory 2001-30 and X-Force Alert 94.