{"vuid":"VU#412566","idnumber":"412566","name":"Solaris conv_fix insecure file handling vulnerability","keywords":["Sun Solaris","/usr/lib/print/conv_fix","/usr/lib/print/conv_lpd","privilege escalation","conv_fix","conv_lpd"],"overview":"A vulnerability in a program supplied with the Solaris printing system could allow a local attacker to gain elevated privileges on the system.","clean_desc":"The Solaris operating system from Sun Microsystems includes a number of supplemental programs to aid in configuration and maintenance of the printing subsystem. One of these programs, /usr/lib/print/conv_fix (which is invoked from the /usr/lib/print/conv_lpd shell script), operates on files in an insecure manner. An attacker can create a file containing data of their choosing that would later be processed by conv_fix. The attacker can then cause their data to be written out to any file on the system if the conv_lpd script is executed as root.","impact":"An attacker with local access may be able to overwrite or create any file on the system if the conv_lpd program is run by root. Depending on which file was created or overwritten, this could allow the attacker to gain elevated privileges or a cause a denial-of-service against the system.","resolution":"Apply a patch from the vendor Patches have been released to address this issue. Please see the Systems Affected section of this document for more details.","workarounds":"","sysaffected":"","thanks":"Thanks to Sun Microsystems, Inc. for reporting this vulnerability.","author":"This document was written by Chad R Dougherty.","public":["http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57509","http://secunia.com/advisories/10991/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-02-27T16:20:58Z","publicdate":"2004-02-26T00:00:00Z","datefirstpublished":"2004-03-04T19:13:56Z","dateupdated":"2004-03-04T19:14:02Z","revision":12,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"15","cam_impact":"19","cam_easeofexploitation":"1","cam_attackeraccessrequired":"10","cam_scorecurrent":"0.961875","cam_scorecurrentwidelyknown":"1.2290625","cam_scorecurrentwidelyknownexploited":"2.2978125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.961875,"vulnote":null}