Caldera Security Advisory SA-96.05 October 28th, 1996 Topic: Vulnerability in lpr I. Problem Description The lpr utility is used to spool print jobs under Linux. To gain access to resources it needs, the lpr program is installed as set-user-id root. A vulnerability in lpr makes it possible to overflow an internal buffer whose contents is under the control of the user of lpr. If this buffer is overflowed with appropriate data, a program such as a shell can be started. This program then runs with root permissions on the local machine. Exploit programs for lpr are known to exist for Linux systems on x86 hardware. II. Impact On systems such as CND 1.0 and lpr installed set-user-id root (which is the default), an unprivileged user can obtain root access. III. Solution / Workaround A simple workaround is to update to a non-vulnerable version of lpr: ncftp ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-lpr-0.06-4c2.i386.rpm rpm -Uvh NetKit-B-lpr-0.06-4c2.i386.rpm IV. References This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/cnd-1.0/security/