COMMAND
in.lpd
SYSTEMS AFFECTED
Solaris 2.6, 7, 8 (x86 and Sparc)
PROBLEM
Following is based on a Internet Security Systems Security
Advisory. ISS X-Force has discovered a buffer overflow in the
Solaris line printer daemon (in.lpd) that may allow a remote or
local attacker to crash the daemon or execute arbitrary code with
super user privilege. This daemon runs with root privileges by
default on all current Solaris versions.
Solaris installs the in.lpd line printer software by default.
This vulnerability may allow a remote attacker to execute
arbitrary commands without restriction. No local access to the
target system is required to exploit this vulnerability.
The Solaris BSD print protocol daemon provides an interface for
remote users to interact with a local printer. The in.lpd daemon
listens on the network for remote requests on port 515. By
listening for remote requests, there is an opportunity for a
malicious user to exploit this vulnerability remotely. The
in.lpd daemon provides extensive functionality to network users
who intend to print documents over a network. There is a flaw in
the "transfer job" routine, which may allow attackers to overflow
an unchecked buffer. Attackers may exploit this vulnerability to
crash the printer daemon, or execute arbitrary code as super user
on a target system.
All current versions of Solaris install and enable the in.lpd
daemon by default.
SOLUTION
Sun Microsystems has informed ISS X-Force that patches are in
development and will be made available in July. Sun Microsystems
has provided ISS X-Force with following patch information. ISS
X-Force recommends installing a patch for this vulnerability when
they are made available.
106235-09 SunOS 5.6: lp patch
106236-09 SunOS 5.6_x86: lp patch
107115-08 SunOS 5.7: LP patch
107116-08 SunOS 5.7_x86: LP patch
109320-04 SunOS 5.8: LP patch
109321-04 SunOS 5.8_x86: LP patch