COMMAND

    in.lpd

SYSTEMS AFFECTED

    Solaris 2.6, 7, 8 (x86 and Sparc)

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.   ISS X-Force  has discovered  a buffer  overflow in the
    Solaris line printer  daemon (in.lpd) that  may allow a  remote or
    local attacker to crash the daemon or execute arbitrary code  with
    super user privilege.   This daemon runs  with root privileges  by
    default on all current Solaris versions.

    Solaris  installs  the  in.lpd  line  printer software by default.
    This  vulnerability  may  allow  a  remote  attacker  to   execute
    arbitrary commands without  restriction.  No  local access to  the
    target system is required to exploit this vulnerability.

    The Solaris BSD  print protocol daemon  provides an interface  for
    remote users to interact with a local printer.  The in.lpd  daemon
    listens  on  the  network  for  remote  requests  on port 515.  By
    listening  for  remote  requests,  there  is  an opportunity for a
    malicious  user  to  exploit  this  vulnerability  remotely.   The
    in.lpd daemon  provides extensive  functionality to  network users
    who intend to print documents over a network.  There is a flaw  in
    the "transfer job" routine, which may allow attackers to  overflow
    an unchecked buffer.  Attackers may exploit this vulnerability  to
    crash the printer daemon, or execute arbitrary code as super  user
    on a target system.

    All  current  versions  of  Solaris  install and enable the in.lpd
    daemon by default.

SOLUTION

    Sun  Microsystems  has  informed  ISS  X-Force that patches are in
    development and will be made available in July.  Sun  Microsystems
    has provided ISS  X-Force with following  patch information.   ISS
    X-Force recommends installing a patch for this vulnerability  when
    they are made available.

        106235-09 SunOS 5.6: lp patch
        106236-09 SunOS 5.6_x86: lp patch
        107115-08 SunOS 5.7: LP patch
        107116-08 SunOS 5.7_x86: LP patch
        109320-04 SunOS 5.8: LP patch
        109321-04 SunOS 5.8_x86: LP patch