• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Solaris lpd Remote Command Execution Vulnerability

Severity: CRITICAL

Description:

The print protocol daemon, 'in.lpd' (or 'lpd'), shipped with Solaris may allow for remote attackers to execute arbitrary commands on target hosts with superuser privileges.

This alleged vulnerability is not the buffer overflow discovered by ISS.

Lpd allows for clients to have email sent to a user when a job has completed printing. The supplied email address is passed to sendmail at the command line when it is invoked by lpd. Attackers may be able to supply sendmail command-line options as the value of the email address when using this functionality. It may be possible to force sendmail to use an uploaded print job as a configuration file. If an attacker can cause sendmail to use a file they have supplied as the configuration file, arbitrary embedded commands may be executed with the privileges of sendmail.

To accomplish this with lpd, an attacker may have to supply the command-line option to use a custom configuration file as the email address. The option must be argumented with the location of the print job on the filesystem. If an attacker manages this, arbitrary commands embedded in the configuration file will be executed on the server as root.

If this vulnerability is successfully exploited, remote attackers may remotely compromise the target system.

This vulnerability is likely the same or closely related to one described in NAI advisory NAI-0020.

NOTE: It has been reported that a valid printer does NOT need to be configured to exploit this vulnerability.

**UPDATE**: There have been reports that this vulnerability is being exploited by attackers 'in-the-wild'. Administrators strongly urged to disable the lpd service or apply network access control on the port.

Affected Products:

• Sun Solaris 2.0.0
• Sun Solaris 2.1.0
• Sun Solaris 2.2.0
• Sun Solaris 2.3.0
• Sun Solaris 2.4.0
• Sun Solaris 2.4.0_x86
• Sun Solaris 2.5.0
• Sun Solaris 2.5.0_x86
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86

References:

• Sun Microsystems: Sunsolve Online(tm)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.