Note: This is an archival copy of Security Sun Alert 200978 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000736.1.
Article ID : 1000736.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-08-08
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the "printd" Daemon

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
6289134

Date of Resolved Release
08-AUG-2005

Impact

A local or remote unprivileged user may be able to remove any file on the system due to a security vulnerability in the "printd" daemon.

Sun acknowledges, with thanks, H.D. Moore of Metaspoilt.com, for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 107115-19
  • Solaris 8 without patch 109320-16
  • Solaris 9 without patch 113329-15
  • Solaris 10 without patch 120467-01

x86 Platform

  • Solaris 7 without patch 107116-19
  • Solaris 8 without patch 109321-16
  • Solaris 9 without patch 114980-16
  • Solaris 10 without patch 120468-01

This issue only occurs on systems that have the printer package "SUNWpcu" installed. 


Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.


Workaround

To work around the described issue, one of the following options can be applied:

Option 1:

Temporarily rename the following file used by the "printd" daemon:

    /usr/lib/print/bsd-adaptor/bsd_cascade.so.1

Note: Renaming this file will cause systems configured to use the cascade spooler to fail to send print requests to the configured remote host.

Option 2:

Disable the BSD print protocol adaptor (in.lpd(1M)) by doing the following:

For pre-Solaris 10 systems:

1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol to the beginning of the line as shown:

    #printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:

    # /usr/bin/pkill -HUP inetd

For systems running Solaris 10 or above:

Execute the following command:

    # svcadm disable svc:/application/print/rfc1179

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 107115-19 or later
  • Solaris 8 with patch 109320-16 or later
  • Solaris 9 with patch 113329-15 or later
  • Solaris 10 with patch 120467-01 or later

x86 Platform

  • Solaris 7 with patch 107116-19 or later
  • Solaris 8 with patch 109321-16 or later
  • Solaris 9 with patch 114980-16 or later
  • Solaris 10 with patch 120468-01 or later


References

107115-19
109320-16
113329-15
120467-01
107116-19
109321-16
114980-16
120468-01




Attachments
This solution has no attachment