H-56: Solaris 2.x lp Print Service Vulnerability

PROBLEM:       A vulnerability exists in the lp print service temporary files 
               creation. 
PLATFORM:      Solaris 2.4, 2.5 and 2.5.1.  Earlier versions of Solaris may 
               also be vulnerable. 
DAMAGE:        This vulnerability may allow local users to gain lp privileges, 
               which may be leveraged to gain root access. 
SOLUTION:      Until vendor patches are made available, apply the workaround 
               in Section 3.1. 
VULNERABILITY  Exploit details involving this vulnerability have been made 
ASSESSMENT:    publicly available. 


[     Start AUSCERT Advisory     ]


===========================================================================
AA-97.15                        AUSCERT Advisory
               Solaris 2.x lp temporary files creation vulnerability
                                  13 May 1997

Last Revised: --

----------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in the lp
print service under Solaris 2.4, 2.5 and 2.5.1.  Earlier versions of
Solaris may also be vulnerable.

This vulnerability may allow local users to gain lp privileges. This may be
leveraged to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

----------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    Solaris 2.x lp print service.  The lp print service is used to print
    files on local and remote printers.

    This problem is known to be present in the lp print service distributed
    with Solaris 2.4, 2.5 and 2.5.1.  Earlier versions of Solaris may also
    be vulnerable.

    Due to a problem with insecure file creation, it is possible to force
    the lp print service to create, or overwrite arbitrary files with the
    privileges of the lp user.  This may be leveraged to gain root
    privileges.

    Exploit information involving this vulnerability has been made publicly
    available.

2.  Impact

    Local users may create arbitrary files as the lp user.  This may be
    leveraged to gain root access.

3.  Workarounds/Solution

    AUSCERT recommends that sites prevent the exploitation of this
    vulnerability in the lp print service by immediately applying the
    workaround given in Section 3.1.

    Currently there are no vendor patches available that address this
    vulnerability.  AUSCERT recommends that official vendor patches be
    installed when they are made available.

3.1 Modify lp configuration

    To prevent the exploitation of the vulnerability described in this
    advisory, AUSCERT recommends applying the following steps:

    1.  su to root

    2.  Before continuing, all printing services must be stopped and the
        printing queue emptied.

	To reject any new jobs to the printing queue use the command:

	# /usr/sbin/reject printer_queue

	and wait until the printing queue is emptied.

        To stop the print service use the command:

	# /etc/init.d/lp stop
	Print services stopped.

    3.  The file /etc/init.d/lp needs to be edited to set the umask for
	this service to 022. Files created by lp printing service will
	now inherit this umask and not be created as world writable.

	Using your favorite editor, edit the file /etc/init.d/lp and
        change the line

		state=$1

	to

		umask 022
		state=$1

    4.  The original log files may have been created with insecure
	permission settings, therefore containing information that cannot
	be trusted.  Its best to rename or remove these files.

	The files will be re-created by lp printing service with the
	correct permissions after the printing service is re-started.

	Before executing the following commands make sure that there are
	no jobs pending on the queue.

	# mv -i /var/lp/logs/lpNet /var/lp/logs/lpNet.previous
	# mv -i /var/lp/logs/lpsched /var/lp/logs/lpsched.previous
	# mv -i /var/lp/logs/requests /var/lp/logs/requests.previous

    5.  Change the default location of the temporary files to /var/lp/ 

	# echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postio - 
	# echo 'Options: PRINTER * = -L/var/lp/*.log' | lpfilter -f postior -

    6.  Re-start printing services:

	# /etc/init.d/lp start
	Print services started.

    7.  If you used the command reject on step 2, use the following command
        to allow printing queue to be re-enabled:
	
	# /usr/sbin/accept printer_queue


[     End AUSCERT Advisory     ]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/