Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» FreeBSD » Buffer overflow in lpr

Buffer overflow in lpr

Due to its nature, the lpr program is setuid root. Unfortunately, the program does not do sufficient bounds checking on arguments which are supplied by users. As a result it is possible to overwrite the internal stack space of the program while it's executing. This can allow an intruder to execute arbitrary code by crafting a carefully designed argument to lpr. As lpr runs as root this allows intruders to run arbitrary commands as root.

  • Vendor: FreeBSD
  • Vendor ID: SA-96:18
  • Date: November 25, 1996


-----BEGIN PGP SIGNED MESSAGE-----

=====================================================================
FreeBSD-SA-96:18 Security Advisory
FreeBSD, Inc.

Topic: Buffer overflow in lpr (revised)

Category: core
Module: lpr
Announced: 1996-11-25
Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5
Corrected: FreeBSD-current as of 1996/10/27
FreeBSD-stable as of 1996/11/01
FreeBSD 2.2 and 2.1.6 releases
FreeBSD only: no

Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:18/

=====================================================================

I. Background

The lpr program is used to print files. It is standard software
in the FreeBSD operating system.

This advisory is based on AUSCERT's advisory AA-96.12. The FreeBSD
security-officers would like to thank AUSCERT for their efforts.

This is a revised advisory, issued to state clearly exactly which
versions of FreeBSD are vulnerable.

II. Problem Description

Due to its nature, the lpr program is setuid root. Unfortunately,
the program does not do sufficient bounds checking on arguments which
are supplied by users. As a result it is possible to overwrite the
internal stack space of the program while it's executing. This can
allow an intruder to execute arbitrary code by crafting a carefully
designed argument to lpr. As lpr runs as root this allows intruders
to run arbitrary commands as root.


III. Impact
Local users can gain root privileges.


IV. Workaround

AUSCERT has developed a wrapper to help prevent lpr being exploited
using this vulnerability. This wrapper, including installation
instructions, can be found in
ftp://ftp.auscert.org.au/pub/auscert/advisory/
AA-96.12.lpr.buffer.overrun.vul

V. Solution

Apply one of the following patches. Patches are provided for
FreeBSD-current (before 1996/10/27) (SA-96:18-solution.current)
FreeBSD-2.0.5, FreeBSD-2.1.0, FreeBSD-2.1.5 and
FreeBSd-stable (before 1996/11/01) (SA-96:18-solution.2xx)

Patches can be found on ftp://freebsd.org/pub/CERT/patches/SA-96:18

=====================================================================
FreeBSD, Inc.

Web Site: http://www.freebsd.org/
Confidential contacts: [email protected]
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: [email protected]
Security public discussion: [email protected]

Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=====================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMptSe1UuHi5z0oilAQEWJwP5AZbCK/p+LJLDTOp68CARC18JB8+VF4DI
2qeGrMRxtWRJXD+MWV2llWbQBvX0iE53zzb7su0KYuq38zmVyoN6GM5KaRgRbHJC
tjEYrQ5AQK0an3C8ACOEy5Tt4PU10BPZlssWHWotTOpPeVIzjj7RZqSJLywSwoIh
wGzvSrEpYSk=
=r1Lc
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »