Tutorial - Linux lpd vulnerability

Linux lpd vulnerability

Updated 6/14/02
CAN 1999-0061
CVE 2002-0363

Impact

A remote user could execute arbitrary code on a properly configured print server.

Background

The print process is controlled by a process called lpd. The lpd process is a UNIX daemon that accepts print requests from local and remote users.

The Problems

Transmission of Sendmail options

11/6/01
A vulnerability in lpd could allow a remote attacker to send options to Sendmail. By sending an option which specifies another configuration file, the attacker could gain root access to the server. Debian 2.1 and 2.1r4, Mandrake 6.0, 6.1, 7.0, and 7.1, and Red Hat 6.0 are affected by this vulnerability.

Hostname Authentication Bypass

11/6/01
Due to a flaw in the line printer daemon's hostname authentication function, a remote attacker who would otherwise be denied access to the print server could gain access by falsifying the DNS record of the attacking host such that it resolves to the same host name as the print server. This vulnerability could be used in conjunction with other vulnerabilities to gain root access from a host which is not listed in /etc/hosts.equiv or /etc/hosts.lpd. Exploitation of this vulnerability would require the attacker to have control of his or her own DNS server.

Debian 2.1 and 2.1r4, and Red Hat 6.0 are affected by this vulnerability.

ghostscript Command Execution

6/14/02
CVE 2002-0363
GNU ghostscript is a program for displaying PostScript files or printing them to non-PostScript printers. ghostscript is often used during the course of printing a document and is run as user lp. An untrusted PostScript file can cause ghostscript to execute arbitrary commands due to insufficient checking.

The following releases (architectures) of Red Hat Linux are vulnerable: 6.2 (alpha, i386, noarch, sparc), 7.0 (alpha, i386, noarch), 7.1 (alpha, i386, ia64), 7.2 (i386, ia64), and 7.3 (i386).

lprold Buffer Overflow

10/23/01
The BSD version of lpd included in the lprold package which is shipped with the SuSE Linux operating system is affected by a buffer overflow condition which could allow a remote attacker to gain root access. In order for the vulnerability to be exploited, the print service would need to be configured and running, and the attacker's address would need to be included in the /etc/hosts.equiv or /etc/hosts.lpd file on the server.

Resolutions

If print service is not needed, disable lpd. Otherwise, the vulnerability can be fixed by applying the appropriate patch. See SuSE Security Announcement 2001:033 for patch information on the lprold vulnerability. See CERT Advisory 2001-30 for patch information on the Sendmail option vulnerability and the hostname authentication bypass.

To resolve the ghostscript command execution vulnerability, either install source release of GNU ghostscript version 6.53 or later, or see Red Hat Security Advisory RHSA-2002:083-22 for patch information.

Where can I read more about this?

Details on these vulnerabilities can be found in the L0pht Security Advisory, CERT Advisory 2001-30, SuSE Security Announcement 2001:033, and Red Hat Security Advisory RHSA-2002:083-22.