NASIRC BULLETIN #94-14 May 3, 1994 Vulnerability in the BSD "lpr" Utility Under IRIX =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received notification about a security vulnerability with certain versions of lpr running on Silicon Graphics, Inc. (SGI) workstations under certain versions of the IRIX operating system. SYSTEMS AFFECTED: This vulnerability affects all SGI workstations that are running IRIX 4.0.5 (all versions) or IRIX 5.x (5.0, 5.0.1, 5.1.* and 5.2) and that have the BSD lpr spooling system installed. Note that the BSD lpr subsystem (eoe2.sw.bsdlpr) is NOT installed by and should not be con- fused with the standard AT&T System V lp print spooling mechanism normally used on SGI systems. THE PROBLEM: Information received by NASIRC indicates that, under certain condi- tions, lpr can be used to overwrite or create any file on the system. In addition, certain flags could allow users to create symbolic links in the lpd spool directory, which would then automatically overwrite/ create any file that this link points to once lpr has been invoked a certain number of times. Either of these vulnerabilities could allow any user with access to lpr(1) to gain root privileges. VULNERABILITY FIX(ES): SGI engineering has generated corrected versions of the lpr software; NASIRC and SGI recommend that this new lpr software be installed on any SGI system which uses the lpr spooler to avoid potential penetra- tion by unprivileged users. The new lpr software may be obtained directly from SGI via Anonymous FTP from ftp.sgi.com as follows (these are compressed tarfiles and must be transferred in BINARY mode): -- for IRIX 4.0.5 systems: ~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z -- for IRIX 5.x systems: ~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z When you decompress and untar the files you should see the following: -- for IRIX 4.0.5: tar: blocksize = 16 x lpr.new, 85052 bytes, 167 blocks x lpr.new.install, 1575 bytes, 4 blocks -- for IRIX 5.x: tar: blocksize = 16 x lpr.new.install, 1575 bytes, 4 blocks x lpr.new, 41120 bytes, 81 blocks Checksumming (command "sum -r lpr*") these two files should yield the following: -- for IRIX 4.0.5: 43017 82 lpr.latest.Z 64205 167 lpr.new 63777 4 lpr.new.install -- for IRIX 5.x: 61762 44 lpr.latest.Z 22489 81 lpr.new 63777 4 lpr.new.install NASIRC will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact NASIRC via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Bernie Rosen of NASA's Ames Research Center and Karyn Pichnarczyk of the Department of Energy Computer Incident Advisory Capability (CIAC) for forwarding this information in a rapid and timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! NASIRC bulletins ~/information ! various informational files ~/toolkits ! patches & automated toolkit software Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".