*********************************************************************** DDN Security Bulletin 9110 DCA DDN Defense Communications System 23 July 91 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.67.67.20] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001). ********************************************************************** Patch for SunOS /usr/lib/lpd + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Communications Agency's Security Coordination ! ! Center distribution system as a means of providing DDN ! ! subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CA-91:10 CERT Advisory July 15, 1991 Patch for SunOS /usr/lib/lpd --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning the availability of a security patch for /usr/lib/lpd in Sun Microsystems, Inc. operating systems. This problem will be fixed in SunOS 5.0. Patches are available for SunOS 4.0.3, SunOS 4.1, and SunOS 4.1.1 through your local Sun answer centers worldwide as well as through anonymous ftp to ftp.uu.net (in ~ftp/sun-dist). Patch ID and file information are as follows: Fix Patch ID Filename Checksum /usr/lib/lpd 100305-03 100305-03.tar.Z 58052 380 Please note that Sun Microsystems sometimes updates patch files. If you find that the checksum is different please contact Sun Microsystems or us for verification. --------------------------------------------------------------------------- I. DESCRIPTION: A security vulnerability exists in /usr/lib/lpd in all existing versions of SunOS that allows an unprivileged user to delete any system files. II. IMPACT: Any user logged into the system can delete files that they do not own. III. SOLUTION: Install the new version of lpd. You may want to alert users in advance that printer service will be disrupted. Then, before installing the patch, drain the print queues. This is generally done using the lpc command. Later, after the patch is installed, printer queues can be re-enabled. As root: 1. Kill the currently running lpd process. Kill -INT will allow the running lpd to do necessary clean-up. # ps -ax | grep lpd # kill -INT {process id of lpd found in the above command} 2. Move the current version aside and change the file mode of the old version to prevent misuse. # mv /usr/lib/lpd /usr/lib/lpd.OLD # chmod 100 /usr/lib/lpd.OLD 3. Install the new version of lpd # cp sun{3,3x,4,4c.386i}/{4.1,4.1.1}/lpd /usr/lib/lpd # chown root.daemon /usr/lib/lpd # chmod 6711 /usr/lib/lpd 4. Set up devices (note: new device name /dev/lpd/printer) to work with new lpd. Create a link, /dev/printer, for compatibility purposes. # rm -f /dev/printer # mkdir /dev/lpd # chown root.daemon /dev/lpd # chmod 710 /dev/lpd # ln -s /dev/lpd/printer /dev/printer 5. Modify line printer program protections # chmod 6711 /usr/ucb/lpr # chmod 6711 /usr/ucb/lpq # chmod 6711 /usr/ucb/lprm # chmod 2711 /usr/etc/lpc 6. Restart lpd # /usr/lib/lpd 7. Edit /etc/rc or /etc/rc.local file and change the line that removes the /dev/printer file upon system startup. It should reflect the change in location from /dev/printer to /dev/lpd/printer. Original: if [ -f /usr/lib/lpd ]; then rm -f /dev/printer /var/spool/lpd.lock Change to: if [ -f /usr/lib/lpd ]; then rm -f /dev/lpd/printer /var/spool/lpd.lock ^^^^ NEW The results should look like: if [ -f /usr/lib/lpd ]; then rm -f /dev/lpd/printer /var/spool/lpd.lock /usr/lib/lpd; echo -n ' printer' fi --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.