Solaris in.lpd Remote Command Execution Vulnerability

vendor:

Solaris

by:

SecurityFocus

7.5

CVSS

HIGH

Remote Command Execution

CWE

Product Name: Solaris

Affected Version From: Solaris 2.6

Affected Version To: Solaris 8

Patch Exists: Yes

Related CWE: N/A

CPE: o:sun:sunos:2.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Solaris

2002

Solaris in.lpd Remote Command Execution Vulnerability

The print protocol daemon, 'in.lpd' (or 'lpd'), shipped with Solaris may allow for remote attackers to execute arbitrary commands on target hosts with superuser privileges. It has been reported that it is possible to execute commands on target hosts through lpd by manipulating the use of sendmail by the daemon. If this vulnerability is successfully exploited, remote attackers can execute any command on the target host with superuser privileges.

Mitigation:

It is recommended to apply the latest security patches from the vendor and ensure that the system is running the latest version of the software.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3274/info

The print protocol daemon, 'in.lpd' (or 'lpd'), shipped with Solaris may allow for remote attackers to execute arbitrary commands on target hosts with superuser privileges.

The alleged vulnerability is not the buffer overflow discovered by ISS.

It has been reported that it is possible to execute commands on target hosts through lpd by manipulating the use of sendmail by the daemon.

If this vulnerability is successfully exploited, remote attackers can execute any command on the target host with superuser privileges.

This vulnerability is very similar to one mentioned in NAI advisory NAI-0020.

NOTE: It has been reported that a valid printer does NOT need to be configured to exploit this vulnerability.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21097.tar.gz