A search for one kind of problem led analysts at the CERT Coordination Center to find another. In August, the security organization had begun to contact vendors to get lpd codes from the makers of various printers in an attempt to create a clearer picture of vulnerabilities surrounding the software packages known as Internet Security Scanners, said Jason Rafail, a security analyst at CERT, which is based at Carnegie Mellon University in Pittsburgh.
After conversations with several vendor representatives, CERT found that while the printers manufactured by the vendors weren't vulnerable to ISS problems, the printer networks were vulnerable to outside threats, Rafail said. Printers from IBM Corp.'s AIX line, FreeBSD, NetBSD, OpenBSD and Hewlett-Packard Co.'s HP-UX line were all found to have the vulnerability, which could be used to launch denial-of-service attacks.
Essentially, anyone who can access a printer network can use the holes to gain root and superuser code privileges within the network. Rafail said that some of these vulnerabilities were a year old and some were newly discovered. As a result, CERT felt it was time to bundle them all together and put out an advisory, he said.
The good news is that all of these holes can be fixed by using patches from the vendors and by beefing up network firewalls, Rafail said.
The problems are buffer overflow issues that allow remote users to gain root access to lpd servers, CERT's statement said.
Specifically mentioned in the statement were:
-- BSD line printer daemon buffer overflow in displayq() An intruder can send a specially crafted print job to the target and then request a display of the print queue to trigger the buffer overflow. The intruder may be able use this overflow to execute arbitrary commands on the system with superuser privileges.
-- IBM AIX line printer daemon buffer overflow in kill_print(), in send_status() and in chk_fhost() An intruder could exploit this to obtain root privileges or cause a DOS attack. The intruder would have to be listed in the /etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this vulnerability. Or in the case of the chk_fhost(), the intruder would need control of the DNS server to exploit the vulnerability.
-- Hewlett-Packard HP-UX line printer daemon buffer overflow (rlpdaemon) An intruder could possibly execute arbitrary code with superuser privileges. The rlpdaemon is installed and is active even if it's not being used. An intruder wouldn't need any prior knowledge or privileges on the target system in order to exploit the hole.
Patches exist for some of the holes and the individual vendors should be contacted. A more detailed explanation of these problems exists on CERT's advisory page.