Note: This is an archival copy of Security Sun Alert 200438 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000320.1. |
Category Security Release Phase Resolved Solaris 2.6 Operating System Solaris 7 Operating System Bug Id 4236546 Date of Resolved Release 31-MAR-2003 Impact Local unprivileged users may be able to gain unauthorized root access due to a buffer overflow in the lpq(1B) command. This issue is described in NSFOCUS Security Bulletin SA2003-02 available from http://www.nsfocus.com/english/homepage/sa2003-02.htm. Sun acknowledges with thanks, NSFOCUS Information Technology, for bringing this issue to our attention.
Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document. Solaris 8 and Solaris 9 are not impacted by this issue. Symptoms There are no symptoms that would show the buffer overflow in lpq(1B) has been exploited to gain unauthorized root access to a host. Failed attempts to exploit lpq(1B) might result in a core file being generated. If file(1) was run on this core, it would show that it was produced from lpq(1B).
Workaround To work around the described issue, remove the set-user-ID bit from lpstat(1). The lpq(1B) command is a symbolic link to lpstat(1) . This can be done with the following command as the root user: # /usr/bin/chmod u-s /usr/bin/lpstat Note: Removing the set-user-ID bit from the lpstat(1) binary will prevent unprivileged users from displaying information about the print service.
Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Modification History References106235-12106236-12 107115-12 107116-12 Attachments This solution has no attachment |
|