J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Multiple Vendor lpd Vulnerabilities

Severity: CRITICAL

Description:

The line printer daemon (lpd) is a print server available for various Unix and Linux operating systems.

Multiple vulnerabilities have been discovered in lpd.

The print server authenticates users through a reverse-lookup of the client-supplied hostname. By sending a specially constructed packet, containing a spoofed reverse-lookup hostname, mimicing one used by the lpd server, it may be possible for an unauthorized user to be authenticated.

Lpd allows for clients to have email sent to a user when a job has completed printing. The supplied email address is passed to sendmail at the command line when it is invoked by lpd. Attackers may be able to supply sendmail command-line options as the value of the email address when using this functionality. It may be possible to force sendmail to use an uploaded print job as a configuration file. If an attacker can cause sendmail to use a file they have supplied as the configuration file, arbitrary embedded commands may be executed with the privileges of sendmail.

To exploit this issue an attacker may have to supply the command-line option to use a custom configuration file as the email address. Succesful exploitation of this issue may result in arbitrary commands embedded in the configuration file to be executed on the server as root.

By exploiting a combination of these vulnerabilities, it may be possible for remote attackers to gain root access to a target server.

There were similar problems discovered by SNI (acquired by Network Associates) in older versions of *BSD lpd, which were fixed shortly after.

It should be noted that this vulnerability is similar to that described in BID 3274.

Affected Products:

  • RedHat Linux 4.0.0
  • RedHat Linux 4.1.0
  • RedHat Linux 4.2.0
  • RedHat Linux 5.0.0
  • RedHat Linux 5.1.0
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 6.0.0
  • RedHat Linux 6.1.0 i386
  • SGI IRIX 6.5.0
  • SGI IRIX 6.5.1
  • SGI IRIX 6.5.10
  • SGI IRIX 6.5.11
  • SGI IRIX 6.5.12
  • SGI IRIX 6.5.13
  • SGI IRIX 6.5.14 f
  • SGI IRIX 6.5.14 m
  • SGI IRIX 6.5.15f
  • SGI IRIX 6.5.15m
  • SGI IRIX 6.5.16f
  • SGI IRIX 6.5.16m
  • SGI IRIX 6.5.17f
  • SGI IRIX 6.5.17m
  • SGI IRIX 6.5.18f
  • SGI IRIX 6.5.18m
  • SGI IRIX 6.5.2
  • SGI IRIX 6.5.3
  • SGI IRIX 6.5.4
  • SGI IRIX 6.5.5
  • SGI IRIX 6.5.6
  • SGI IRIX 6.5.7
  • SGI IRIX 6.5.8
  • SGI IRIX 6.5.9

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.