[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
(fwd) (SRADV00007) Local root compromise through Lexmark MarkVision printer drivers
[Please upgrade if you use the Lexmark printer drivers on any
distribution -- Raju]
This is an RFC 1153 digest.
Content-Type: text/plain; charset="iso-8859-1"
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Reply-To: Secure Reality Advisories <create@xxxxxxxxxxxxxxxxxxxx>
From: Secure Reality Advisories <create@xxxxxxxxxxxxxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
Subject: (SRADV00007) Local root compromise through Lexmark MarkVision
Date: Thu, 7 Dec 2000 00:09:52 +1100
Secure Reality Pty Ltd. Security Advisory #7 (SRADV00007)
Local root compromise through Lexmark MarkVision printer drivers
Versions below 4.4
(Specifically the MarkVision drivers package for Unix. Other Lexmark
drivers, e.g Windows drivers, are not part of MarkVision)
MarkVision is a printer administration package from Lexmark. In addition to
software to remotely administer printers it also provides printer drivers
for a wide variety of printers for various flavours of Unix.
Several of the utilities that make up the Unix printer drivers contain
command line buffer overflows. As some of these utilities are installed
setuid root, a local attacker can trivially exploit the vulnerabilities to
execute arbitrary code as root.
Local root compromise
We successfully exploited command line overflows against the following
setuid root programs:
- /usr/local/lexmark/markvision/bin/cat_network - Heap oveflow
- /usr/local/lexmark/markvision/bin/cat_parallel - Stack overflow
- /usr/local/lexmark/markvision/bin/cat_serial - Stack overflow
We tested our exploits on the Linux version of the drivers under Redhat 6.2.
Obviously the stack overflows at least should be exploitable on all the
other platforms the drivers are available for, the heap overflow may not be,
we have not tested either case.
Please upgrade to the latest version of the MarkVision drivers (4.4) at
While Lexmark did provide a fix for the problem after we disclosed it to
them, they weren't particularly cooperative or speedy in doing so
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality Pty Ltd does not accept responsibility for
any damage or injury caused as a result of its use.
End of this Digest