Secure Reality Pty Ltd. Security Advisory #7 (SRADV00007)
Local root compromise through Lexmark MarkVision printer drivers
You can view a plain text version of this advisory here
Released
6/11/2000
Vulnerable
Versions below 4.4
(Specifically the MarkVision drivers package for Unix. Other Lexmark drivers,
e.g Windows drivers, are not part of MarkVision)
Overview
MarkVision is a printer administration package from Lexmark. In addition
to software to remotely administer printers it also provides printer drivers
for a wide variety of printers for various flavours of Unix.
Several of the utilities that make up the Unix printer drivers contain command
line buffer overflows. As some of these utilities are installed setuid root,
a local attacker can trivially exploit the vulnerabilities to execute arbitrary
code as root.
Impact
Local root compromise
Detail
We successfully exploited command line overflows against the following setuid
root programs:
We tested our exploits on the Linux version of the drivers under Redhat
6.2. Obviously the stack overflows at least should be exploitable on all
the other platforms the drivers are available for, the heap overflow may
not be, we have not tested either case.
Fix
Please upgrade to the latest version of the MarkVision drivers (4.4) at
ftp://ftp.lexmark.com/pub/driver/unix/MarkVision/V4.4
Acknowledgements
While Lexmark did provide a fix for the problem after we disclosed it to
them, they weren't particularly cooperative or speedy in doing so
Disclaimer
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a guarantee
that protection measures will work; an endorsement of any product or solution
or recommendations on behalf of Secure Reality Pty Ltd. Content is provided
as is and Secure Reality Pty Ltd does not accept responsibility for any
damage or injury caused as a result of its use.
