OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: (SRADV00007) Local root compromise through Lexmark MarkVision printer drivers
From: Secure Reality Advisories (createSECUREREALITY.COM.AU)
Date: Wed Dec 06 2000 - 07:09:52 CST


=================================================
Secure Reality Pty Ltd. Security Advisory #7 (SRADV00007)
http://www.securereality.com.au
=================================================

[Title]
Local root compromise through Lexmark MarkVision printer drivers

[Released]
6/11/2000

[Vulnerable]
Versions below 4.4
(Specifically the MarkVision drivers package for Unix. Other Lexmark
drivers, e.g Windows drivers, are not part of MarkVision)

[Overview]
MarkVision is a printer administration package from Lexmark. In addition to
software to remotely administer printers it also provides printer drivers
for a wide variety of printers for various flavours of Unix.

Several of the utilities that make up the Unix printer drivers contain
command line buffer overflows. As some of these utilities are installed
setuid root, a local attacker can trivially exploit the vulnerabilities to
execute arbitrary code as root.

[Impact]
Local root compromise

[Detail]
We successfully exploited command line overflows against the following
setuid root programs:
    - /usr/local/lexmark/markvision/bin/cat_network - Heap oveflow
    - /usr/local/lexmark/markvision/bin/cat_parallel - Stack overflow
    - /usr/local/lexmark/markvision/bin/cat_serial - Stack overflow

We tested our exploits on the Linux version of the drivers under Redhat 6.2.
Obviously the stack overflows at least should be exploitable on all the
other platforms the drivers are available for, the heap overflow may not be,
we have not tested either case.

[Fix]
Please upgrade to the latest version of the MarkVision drivers (4.4) at
ftp://ftp.lexmark.com/pub/driver/unix/MarkVision/V4.4

[Acknowledgements]
While Lexmark did provide a fix for the problem after we disclosed it to
them, they weren't particularly cooperative or speedy in doing so

[Disclaimer]
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality Pty Ltd does not accept responsibility for
any damage or injury caused as a result of its use.