| VID |
23005 |
| Severity |
40 |
| Port |
515 |
| Protocol |
TCP |
| Class |
LPD |
| Detailed Description |
The line printer daemon (in.lpd) is running on the solaris system. Buffer overflow in the line printer daemon for Solaris 2.8 and earlier allows remote attackers to gain root privileges.
The Solaris BSD print protocol daemon provides an interface for remote users to interact with a local printer. All current versions of Solaris install and enable the in.lpd daemon by default. The in.lpd daemon listens on the network for remote requests on port 515. The in.lpd daemon provides extensive functionality to network users who intend to print documents over a network. There is a flaw in the "transfer job" routine, which may allow attackers to overflow an unchecked buffer. Attackers may exploit this vulnerability to crash the printer daemon, or execute arbitrary code as super user on a target system.
* References:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise80
http://www.securityfocus.com/bid/2894 |
| Recommendation |
Administrators are strongly advised to either apply network access control to the service or disable 'in.lpd'. Sun Microsystems has acknowledged this vulnerability. The patch ID numbers have been made available. The actual patches will reportedly not be downloadable until July 2001.
The patch numbers are listed below:
106235-09 SunOS 5.6: lp patch
106236-09 SunOS 5.6_x86: lp patch
107115-08 SunOS 5.7: LP patch
107116-08 SunOS 5.7_x86: LP patch
109320-04 SunOS 5.8: LP patch
109321-04 SunOS 5.8_x86: LP patch
Until these patches are released, We recommend that the in.lpd daemon be disabled on all vulnerable systems. To disable the in.lpd daemon:
1. Change user to root.
2. Open /etc/inetd.conf in any text editor.
3. Search for the line beginning with "printer".
4. Insert a comment, or "#" character at the beginning of this line.
5. Restart inetd. |
| Related URL |
CVE-2001-0353 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
