Sun lpd vulnerability
Updated 11/6/01
CVE 2001-0353
Impact
A remote user could execute arbitrary code on a properly configured
print server.
Background
By default, Solaris operating systems are installed with
the in.lpd process running.
The in.lpd process is a UNIX daemon that accepts print
requests from local and remote users.
The Problem
Due to a buffer overflow in the transfer job routine,
in.lpd can be exploited by a remote attacker
to execute arbitrary code with root privileges on the
server.
11/6/01
A second vulnerability could allow a remote attacker to
send options to Sendmail, which could be used to specify another
Sendmail configuration file, resulting in root access.
Solaris 2.6, 7, and 8 (SunOS 5.6, 5.7, and 5.8) are affected by
this vulnerability.
Resolution
If print service is not needed, disable in.lpd.
This can be done by finding the line in /etc/inetd.conf
which begins with the word printer and inserting
a pound sign (#) at the beginning of the line.
Be sure to restart the inetd process afterwards.
If print service is required, the first vulnerability can be fixed by applying the appropriate
patch.
Until the patch is installed, it is recommended that access to TCP port 515 on the
server be denied from the firewall or gateway router. The patches
for this vulnerability are:
106235-09 SunOS 5.6: lp patch
106236-09 SunOS 5.6_x86: lp patch
107115-09 SunOS 5.7: LP patch
107116-09 SunOS 5.7_x86: LP patch
109320-04 SunOS 5.8: LP patch
109321-04 SunOS 5.8_x86: LP patch
Where can I read more about this?
Details on this vulnerability can be found in CERT
Advisory 2001-15, CERT Advisory 2001-30,
and in CIAC Bulletin L-138.