[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Local root compromise through Lexmark MarkVision printer drivers

Title: Local root compromise through Lexmark MarkVision printer drivers
Released by: Secure Reality
Date: 6th December 2000
Printable version: Click here 
=================================================

Secure Reality Pty Ltd. Security Advisory #7 (SRADV00007)

http://www.securereality.com.au

=================================================



[Title]

Local root compromise through Lexmark MarkVision printer drivers



[Released]

6/11/2000



[Vulnerable]

Versions below 4.4

(Specifically the MarkVision drivers package for Unix. Other Lexmark

drivers, e.g Windows drivers, are not part of MarkVision)



[Overview]

MarkVision is a printer administration package from Lexmark. In addition to

software to remotely administer printers it also provides printer drivers

for a wide variety of printers for various flavours of Unix.



Several of the utilities that make up the Unix printer drivers contain

command line buffer overflows. As some of these utilities are installed

setuid root, a local attacker can trivially exploit the vulnerabilities to

execute arbitrary code as root.



[Impact]

Local root compromise



[Detail]

We successfully exploited command line overflows against the following

setuid root programs:

    - /usr/local/lexmark/markvision/bin/cat_network - Heap oveflow

    - /usr/local/lexmark/markvision/bin/cat_parallel - Stack overflow

    - /usr/local/lexmark/markvision/bin/cat_serial - Stack overflow



We tested our exploits on the Linux version of the drivers under Redhat 6.2.

Obviously the stack overflows at least should be exploitable on all the

other platforms the drivers are available for, the heap overflow may not be,

we have not tested either case.



[Fix]

Please upgrade to the latest version of the MarkVision drivers (4.4) at

http://ftp.lexmark.com/pub/driver/unix/MarkVision/V4.4



[Acknowledgements]

While Lexmark did provide a fix for the problem after we disclosed it to

them, they weren't particularly cooperative or speedy in doing so



[Disclaimer]

Advice, directions and instructions on security vulnerabilities in this

advisory do not constitute: an endorsement of illegal behavior; a guarantee

that protection measures will work; an endorsement of any product or

solution or recommendations on behalf of Secure Reality Pty Ltd. Content is

provided as is and Secure Reality Pty Ltd does not accept responsibility for

any damage or injury caused as a result of its use.






(C) 1999-2000 All rights reserved.