e-25a.BSD-lpr-vuln-in-SGI-IRIX
4603442a1273e9c9b7d22bb10410183e4e7b2136f295c59092b9af7dd3c7904f
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
BSD lpr Vulnerability in SGI IRIX
May 19, 1994 1600 PDT Number E-25a
______________________________________________________________________________
Corrections to E-25 untar command. IRIX 4.0 lpr.latest.Z Sum_Checksum.
______________________________________________________________________________
PROBLEM: The optional print subsystem BSD lpr can be used to
create or overwrite any file on the system.
PLATFORM: SGI workstations running the following operating system
versions: IRIX 5.0, 5.0.1, 5.1.x, 5.2, and any 4.0.5.
DAMAGE: Any user with lpr(1) access may gain root privilege.
SOLUTION: Install new lpr spooler system available from SGI.
______________________________________________________________________________
VULNERABILITY Notices of this vulnerability along with a script to exploit
ASSESSMENT: it have been widely distributed on the Internet. CIAC and SGI
recommend sites install the appropriate fix immediately.
______________________________________________________________________________
Critical Information about BSD lpr Vulnerabilities in SGI IRIX
CIAC has learned of a vulnerability in the BSD lpr spooling system. This
optionally installed subsystem for all SGI platforms allows interoperability
with other BSD lpr systems, such as SunOS, DEC Ultrix, and Novell. Many SGI
systems replace the standard AT&T System V lp and lpsched print spooler with
the optional BSD subsystem (eoe2.sw.bsdlpr).
This vulnerability affects all SGI workstations running IRIX 5.0, 5.0.1,
5.1.x, 5.2 and 4.0.5 (all versions). A command flag allows users to create
symbolic links in the lpd spool directory. After a number of invocations, lpr
will reuse the filename in the spool directory, following the previously
established link. By allowing the creation or overwriting of any file the
link points to, any user with lpr(1) access can obtain root privilege.
SGI has produced corrected versions of the lpr software which may be obtained
from your SGI service/support provider or via anonymous FTP from ftp.sgi.com
(192.48.153.1). Transfer in BINARY mode, as follows:
for IRIX 5.*.* systems: ~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z
for IRIX 4.0.5 systems: ~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z
Decompress and untar these files using "zcat lpr.latest.Z | tar -xvf -" and |
checksum these files using "sum -r lpr*" and md5 to yield the following:
IRIX 5.*.* bytes sum_checksum md5_checksum
lpr.latest.Z 22331 61762 44 3a215a1f9b336cc4f76ca3e7a6b9bdcc
lpr.new 41120 22489 81 6f55d6a7620ca5c4188230a3b4dd50be
lpr.new.install 1575 63777 4 be021e98c346a3d49c27f00e43ca87ef
IRIX 4.0.5 bytes sum_checksum md5_checksum
lpr.latest.Z 87469 03015 171 d40c8c84e219045e56297cd36e6a77d5 |
lpr.new 171016 21563 335 641f6ca953c8163d9085f99114df5289
lpr.new.install 1575 63777 4 be021e98c346a3d49c27f00e43ca87ef
Note: md5 checksum utility is available via anonymous FTP from CIAC's
server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in
directory /pub/util/crypto.
______________________________________________________________________________
CIAC thanks Miguel J. Sanchez and Jay McCauley of Silicon Graphics Inc. and
David S. Brown of Lawrence Livermore National Laboratory for the information
provided in this bulletin.
______________________________________________________________________________
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber";
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.