***********************************************************************
DDN Security Bulletin 9110       DCA DDN Defense Communications System
23 July 91              Published by: DDN Security Coordination Center
                                    ([email protected])  (800) 235-3155

                       DEFENSE  DATA  NETWORK
                         SECURITY  BULLETIN

The DDN  SECURITY BULLETIN  is distributed  by the  DDN SCC  (Security
Coordination Center) under  DCA contract as  a means of  communicating
information on network and host security exposures, fixes, &  concerns
to security & management personnel at DDN facilities.  Back issues may
be  obtained  via  FTP  (or  Kermit)  from  NIC.DDN.MIL  [192.67.67.20]
using login="anonymous" and password="guest".  The bulletin pathname is
SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001).
**********************************************************************

                    Patch for SunOS /usr/lib/lpd

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
!                                                                       !
!     The following important  advisory was  issued by the Computer     !
!     Emergency Response Team (CERT)  and is being relayed unedited     !
!     via the Defense Communications Agency's Security Coordination     !
!     Center  distribution  system  as a  means  of  providing  DDN     !
!     subscribers with useful security information.                     !
!                                                                       !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +


CA-91:10                        CERT Advisory
                               July 15, 1991
                       Patch for SunOS /usr/lib/lpd

---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning the availability of a security patch
for /usr/lib/lpd in Sun Microsystems, Inc. operating systems.  This
problem will be fixed in SunOS 5.0.  Patches are available for SunOS 4.0.3,
SunOS 4.1, and SunOS 4.1.1 through your local Sun answer centers worldwide
as well as through anonymous ftp to ftp.uu.net (in ~ftp/sun-dist).
Patch ID and file information are as follows:

Fix                     Patch ID       Filename            Checksum
/usr/lib/lpd            100305-03      100305-03.tar.Z     58052   380

Please note that Sun Microsystems sometimes updates patch files.  If
you find that the checksum is different please contact Sun Microsystems
or us for verification.
---------------------------------------------------------------------------

I.   DESCRIPTION:

    A security vulnerability exists in /usr/lib/lpd in all
    existing versions of SunOS that allows an unprivileged user
    to delete any system files.

II.  IMPACT:

    Any user logged into the system can delete files that they do
    not own.

III. SOLUTION:

    Install the new version of lpd.  You may want to alert
    users in advance that printer service will be disrupted.
    Then, before installing the patch, drain the print queues.
    This is generally done using the lpc command.  Later,
    after the patch is installed, printer queues can be
    re-enabled.

    As root:

    1.  Kill the currently running lpd process.  Kill -INT
        will allow the running lpd to do necessary clean-up.

        # ps -ax | grep lpd
        # kill -INT {process id of lpd found in the above command}

    2.  Move the current version aside and change the file mode
        of the old version to prevent misuse.

        # mv /usr/lib/lpd /usr/lib/lpd.OLD
        # chmod 100 /usr/lib/lpd.OLD

    3.  Install the new version of lpd

        # cp sun{3,3x,4,4c.386i}/{4.1,4.1.1}/lpd /usr/lib/lpd
        # chown root.daemon /usr/lib/lpd
        # chmod 6711 /usr/lib/lpd

    4.  Set up devices (note: new device name /dev/lpd/printer) to
        work with new lpd.  Create a link, /dev/printer, for
        compatibility purposes.

        # rm -f /dev/printer
        # mkdir /dev/lpd
        # chown root.daemon /dev/lpd
        # chmod 710 /dev/lpd
        # ln -s /dev/lpd/printer /dev/printer

    5.  Modify line printer program protections

        # chmod 6711 /usr/ucb/lpr
        # chmod 6711 /usr/ucb/lpq
        # chmod 6711 /usr/ucb/lprm
        # chmod 2711 /usr/etc/lpc

    6.  Restart lpd

        # /usr/lib/lpd

    7.  Edit /etc/rc or /etc/rc.local file and change the line that removes
        the /dev/printer file upon system startup. It should reflect
        the change in location from /dev/printer to /dev/lpd/printer.

        Original:

        if [ -f /usr/lib/lpd ]; then
                rm -f /dev/printer /var/spool/lpd.lock

        Change to:

        if [ -f /usr/lib/lpd ]; then
                rm -f /dev/lpd/printer /var/spool/lpd.lock
                          ^^^^
                          NEW

        The results should look like:
        if [ -f /usr/lib/lpd ]; then
                rm -f /dev/lpd/printer /var/spool/lpd.lock
                /usr/lib/lpd;           echo -n ' printer'
        fi


---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet E-mail: [email protected]
Telephone: 412-268-7090 24-hour hotline:
          CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
          on call for emergencies during other hours.

Past advisories and other computer security related information are available
for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.

Downloaded From P-80 International Information Systems 304-744-2253