Privacy and Legal Notice

CIAC INFORMATION BULLETIN

E-25a: BSD lpr Vulnerability in SGI IRIX

May 19, 1994 1600 PDT 

PROBLEM:   The optional print subsystem BSD lpr can be used to
           create or overwrite any file on the system.
PLATFORM:  SGI workstations running the following operating system
           versions: IRIX 5.0, 5.0.1, 5.1.x, 5.2, and any 4.0.5.
DAMAGE:    Any user with lpr(1) access may gain root privilege.
SOLUTION:  Install new lpr spooler system available from SGI.


VULNERABILITY   Notices of this vulnerability along with a script to
ASSESSMENT:     exploit it have been widely distributed on the
                Internet. CIAC and SGI recommend sites install the
                appropriate fix immediately.

Critical Information about BSD lpr Vulnerabilities in SGI IRIX

CIAC has learned of a vulnerability in the BSD lpr spooling system. This optionally installed subsystem for all SGI platforms allows interoperability with other BSD lpr systems, such as SunOS, DEC Ultrix, and Novell. Many SGI systems replace the standard AT&T System V lp and lpsched print spooler with the optional BSD subsystem (eoe2.sw.bsdlpr).

This vulnerability affects all SGI workstations running IRIX 5.0, 5.0.1, 5.1.x, 5.2 and 4.0.5 (all versions). A command flag allows users to create symbolic links in the lpd spool directory. After a number of invocations, lpr will reuse the filename in the spool directory, following the previously established link. By allowing the creation or overwriting of any file the link points to, any user with lpr(1) access can obtain root privilege.

SGI has produced corrected versions of the lpr software which may be obtained from your SGI service/support provider or via anonymous FTP from ftp.sgi.com (192.48.153.1). Transfer in BINARY mode, as follows: 

       for IRIX 5.*.* systems: ~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z    
       for IRIX 4.0.5 systems: ~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z

Decompress and untar these files using "zcat lpr.latest.Z | tar -xvf -" and | checksum these files using "sum -r lpr*" and md5 to yield the following: 

IRIX 5.*.*       bytes  sum_checksum   md5_checksum
lpr.latest.Z     22331  61762     44   3a215a1f9b336cc4f76ca3e7a6b9bdcc
lpr.new          41120  22489     81   6f55d6a7620ca5c4188230a3b4dd50be
lpr.new.install   1575  63777      4   be021e98c346a3d49c27f00e43ca87ef

IRIX 4.0.5       bytes  sum_checksum   md5_checksum
lpr.latest.Z     87469  03015    171   d40c8c84e219045e56297cd36e6a77d5       |
lpr.new         171016  21563    335   641f6ca953c8163d9085f99114df5289
lpr.new.install   1575  63777      4   be021e98c346a3d49c27f00e43ca87ef

Note: md5 checksum utility is available via anonymous FTP from CIAC's server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in directory /pub/util/crypto.

CIAC thanks Miguel J. Sanchez and Jay McCauley of Silicon Graphics Inc. and David S. Brown of Lawrence Livermore National Laboratory for the information provided in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]